diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h include/linux/netfilter/ipv4/nf_conntrack_icmp.h
--- include.orig/linux/netfilter/ipv4/nf_conntrack_icmp.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/ipv4/nf_conntrack_icmp.h 2005-08-02 20:02:17.683251344 +0200
@@ -0,0 +1,17 @@
+/*
+ * ICMP tracking.
+#endif /* _NF_CONNTRACK_ICMP_H */
diff -uNr include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h include/linux/netfilter/ipv4/nf_conntrack_ipv4.h
--- include.orig/linux/netfilter/ipv4/nf_conntrack_ipv4.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/ipv4/nf_conntrack_ipv4.h 2005-08-02 20:02:17.684251192 +0200
@@ -0,0 +1,40 @@
+/*
+ * IPv4 support for nf_conntrack.
+#endif /*_NF_CONNTRACK_IPV4_H*/
diff -uNr include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h
--- include.orig/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/ipv6/nf_conntrack_icmpv6.h 2005-08-02 20:02:17.698249064 +0200
@@ -0,0 +1,27 @@
+/*
+ * ICMPv6 tracking.
+#endif /* _NF_CONNTRACK_ICMPV6_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack_core.h include/linux/netfilter/nf_conntrack_core.h
--- include.orig/linux/netfilter/nf_conntrack_core.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_core.h 2005-05-06 22:28:14.000000000 +0200
-@@ -0,0 +1,71 @@
++++ include/linux/netfilter/nf_conntrack_core.h 2005-08-02 20:02:17.687250736 +0200
+@@ -0,0 +1,72 @@
+/*
+ * This header is used to share core functionality between the
+ * standalone connection tracking module, and the compatibility layer's use
+#define _NF_CONNTRACK_CORE_H
+
+#include <linux/netfilter.h>
++#include <linux/netfilter_ipv4/lockhelp.h>
+
+/* This header is used to share core functionality between the
+ standalone connection tracking module, and the compatibility layer's use
+#endif /* _NF_CONNTRACK_CORE_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack_ftp.h include/linux/netfilter/nf_conntrack_ftp.h
--- include.orig/linux/netfilter/nf_conntrack_ftp.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_ftp.h 2005-05-06 22:08:00.000000000 +0200
-@@ -0,0 +1,48 @@
++++ include/linux/netfilter/nf_conntrack_ftp.h 2005-08-02 20:02:17.700248760 +0200
+@@ -0,0 +1,59 @@
+/*
+ * nf_conntrack_ftp.h
+ *
+#define _NF_CONNTRACK_FTP_H
+/* FTP tracking. */
+
++#ifdef __KERNEL__
++
++#include <linux/netfilter_ipv4/lockhelp.h>
++
++/* Protects ftp part of conntracks */
++DECLARE_LOCK_EXTERN(ip_ftp_lock);
++
++#define FTP_PORT 21
++
++#endif /* __KERNEL__ */
++
+enum nf_ct_ftp_type
+{
+ /* PORT command from client */
+#endif /* _NF_CONNTRACK_FTP_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack.h include/linux/netfilter/nf_conntrack.h
--- include.orig/linux/netfilter/nf_conntrack.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack.h 2005-05-06 22:07:48.000000000 +0200
-@@ -0,0 +1,54 @@
++++ include/linux/netfilter/nf_conntrack.h 2005-08-02 20:02:17.708247544 +0200
+@@ -0,0 +1,302 @@
+/*
+ * Connection state tracking for netfilter. This is separated from,
+ * but required by, the (future) NAT layer; it can also be used by an iptables
+ NF_S_CONFIRMED = (1 << NF_S_CONFIRMED_BIT),
+};
+
++#ifdef __KERNEL__
++#include <linux/config.h>
++#include <linux/netfilter/nf_conntrack_tuple.h>
++#include <linux/bitops.h>
++#include <linux/compiler.h>
++#include <asm/atomic.h>
++
++#include <linux/netfilter/nf_conntrack_tcp.h>
++#include <linux/netfilter/ipv4/nf_conntrack_icmp.h>
++#include <linux/netfilter/ipv6/nf_conntrack_icmpv6.h>
++#include <linux/netfilter/nf_conntrack_sctp.h>
++
++/* per conntrack: protocol private data */
++union nf_conntrack_proto {
++ /* insert conntrack proto private data here */
++ struct nf_ct_sctp sctp;
++ struct nf_ct_tcp tcp;
++ struct nf_ct_icmp icmp;
++ struct nf_ct_icmpv6 icmpv6;
++};
++
++union nf_conntrack_expect_proto {
++ /* insert expect proto private data here */
++};
++
++/* Add protocol helper include file here */
++#include <linux/netfilter/nf_conntrack_ftp.h>
++
++/* per conntrack: application helper private data */
++union nf_conntrack_help {
++ /* insert conntrack helper private data (master) here */
++ struct nf_ct_ftp_master ct_ftp_info;
++};
++
++#include <linux/types.h>
++#include <linux/skbuff.h>
++
++#ifdef CONFIG_NETFILTER_DEBUG
++#define NF_CT_ASSERT(x) \
++do { \
++ if (!(x)) \
++ /* Wooah! I'm tripping my conntrack in a frenzy of \
++ netplay... */ \
++ printk("NF_CT_ASSERT: %s:%i(%s)\n", \
++ __FILE__, __LINE__, __FUNCTION__); \
++} while(0)
++#else
++#define NF_CT_ASSERT(x)
++#endif
++
++struct nf_conntrack_counter
++{
++ u_int64_t packets;
++ u_int64_t bytes;
++};
++
++struct nf_conntrack_helper;
++
++#include <linux/netfilter/ipv4/nf_conntrack_ipv4.h>
++struct nf_conn
++{
++ /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
++ plus 1 for any connection(s) we are `master' for */
++ struct nf_conntrack ct_general;
++
++ /* XXX should I move this to the tail ? - Y.K */
++ /* These are my tuples; original and reply */
++ struct nf_conntrack_tuple_hash tuplehash[NF_CT_DIR_MAX];
++
++ /* Have we seen traffic both ways yet? (bitset) */
++ unsigned long status;
++
++ /* Timer function; drops refcnt when it goes off. */
++ struct timer_list timeout;
++
++#ifdef CONFIG_NF_CT_ACCT
++ /* Accounting Information (same cache line as other written members) */
++ struct nf_conntrack_counter counters[NF_CT_DIR_MAX];
++#endif
++ /* If we were expected by an expectation, this will be it */
++ struct nf_conn *master;
++
++ /* Current number of expected connections */
++ unsigned int expecting;
++
++ /* Helper. if any */
++ struct nf_conntrack_helper *helper;
++
++ /* features - nat, helper, ... used by allocating system */
++ u_int32_t features;
++
++ /* Storage reserved for other modules: */
++
++ union nf_conntrack_proto proto;
++
++#if defined(CONFIG_NF_CONNTRACK_MARK)
++ unsigned long mark;
++#endif
++
++ /* These members are dynamically allocated. */
++
++ union nf_conntrack_help *help;
++
++ /* Layer 3 dependent members. (ex: NAT) */
++ union {
++ struct nf_conntrack_ipv4 *ipv4;
++ } l3proto;
++ void *data[0];
++};
++
++struct nf_conntrack_expect
++{
++ /* Internal linked list (global expectation list) */
++ struct list_head list;
++
++ /* We expect this tuple, with the following mask */
++ struct nf_conntrack_tuple tuple, mask;
++
++ /* Function to call after setup and insertion */
++ void (*expectfn)(struct nf_conn *new,
++ struct nf_conntrack_expect *this);
++
++ /* The conntrack of the master connection */
++ struct nf_conn *master;
++
++ /* Timer function; deletes the expectation. */
++ struct timer_list timeout;
++
++#ifdef CONFIG_NF_NAT_NEEDED
++ /* This is the original per-proto part, used to map the
++ * expected connection the way the recipient expects. */
++ union nf_conntrack_manip_proto saved_proto;
++ /* Direction relative to the master connection. */
++ enum nf_conntrack_dir dir;
++#endif
++};
++
++static inline struct nf_conn *
++tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
++{
++ return container_of(hash, struct nf_conn,
++ tuplehash[hash->tuple.dst.dir]);
++}
++
++/* get master conntrack via master expectation */
++#define master_ct(conntr) (conntr->master)
++
++/* Alter reply tuple (maybe alter helper). */
++extern void
++nf_conntrack_alter_reply(struct nf_conn *conntrack,
++ const struct nf_conntrack_tuple *newreply);
++
++/* Is this tuple taken? (ignoring any belonging to the given
++ conntrack). */
++extern int
++nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
++ const struct nf_conn *ignored_conntrack);
++
++/* Return conntrack_info and tuple hash for given skb. */
++static inline struct nf_conn *
++nf_ct_get(struct sk_buff *skb, enum nf_conntrack_info *ctinfo)
++{
++ *ctinfo = skb->nfctinfo;
++ return (struct nf_conn *)skb->nfct;
++}
++
++/* decrement reference count on a conntrack */
++extern void nf_ct_put(struct nf_conn *ct);
++
++/* call to create an explicit dependency on nf_conntrack. */
++extern void need_nf_conntrack(void);
++
++extern int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
++ const struct nf_conntrack_tuple *orig);
++
++/* Refresh conntrack for this many jiffies */
++extern void nf_ct_refresh_acct(struct nf_conn *ct,
++ enum nf_conntrack_info ctinfo,
++ const struct sk_buff *skb,
++ unsigned long extra_jiffies);
++
++/* These are for NAT. Icky. */
++/* Call me when a conntrack is destroyed. */
++extern void (*nf_conntrack_destroyed)(struct nf_conn *conntrack);
++
++/* Fake conntrack entry for untracked connections */
++extern struct nf_conn nf_conntrack_untracked;
++
++extern int nf_ct_no_defrag;
++
++/* Iterate over all conntracks: if iter returns true, it's deleted. */
++extern void
++nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data);
++
++/* It's confirmed if it is, or has been in the hash table. */
++static inline int is_confirmed(struct nf_conn *ct)
++{
++ return test_bit(NF_S_CONFIRMED_BIT, &ct->status);
++}
++
++extern unsigned int nf_conntrack_htable_size;
++
++struct nf_conntrack_stat
++{
++ unsigned int searched;
++ unsigned int found;
++ unsigned int new;
++ unsigned int invalid;
++ unsigned int ignore;
++ unsigned int delete;
++ unsigned int delete_list;
++ unsigned int insert;
++ unsigned int insert_failed;
++ unsigned int drop;
++ unsigned int early_drop;
++ unsigned int error;
++ unsigned int expect_new;
++ unsigned int expect_create;
++ unsigned int expect_delete;
++};
++
++#define NF_CT_STAT_INC(count) (__get_cpu_var(nf_conntrack_stat).count++)
++
++/* eg. PROVIDES_CONNTRACK(ftp); */
++#define PROVIDES_CONNTRACK(name) \
++ int needs_nf_conntrack_##name; \
++ EXPORT_SYMBOL(needs_nf_conntrack_##name)
++
++/*. eg. NEEDS_CONNTRACK(ftp); */
++#define NEEDS_CONNTRACK(name) \
++ extern int needs_nf_conntrack_##name; \
++ static int *need_nf_conntrack_##name __attribute_used__ = &needs_nf_conntrack_##name
++
++/* no helper, no nat */
++#define NF_CT_F_BASIC 0
++/* for helper */
++#define NF_CT_F_HELP 1
++/* for nat. */
++#define NF_CT_F_NAT 2
++#define NF_CT_F_NUM 4
++
++extern int
++nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size,
++ int (*init_conntrack)(struct nf_conn *, u_int32_t));
++extern void
++nf_conntrack_unregister_cache(u_int32_t features);
++
++#endif /* __KERNEL__ */
+#endif /* _NF_CONNTRACK_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack_helper.h include/linux/netfilter/nf_conntrack_helper.h
--- include.orig/linux/netfilter/nf_conntrack_helper.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_helper.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/nf_conntrack_helper.h 2005-08-02 20:02:17.706247848 +0200
@@ -0,0 +1,50 @@
+/*
+ * connection tracking helpers.
+#endif /*_NF_CONNTRACK_HELPER_H*/
diff -uNr include.orig/linux/netfilter/nf_conntrack_l3proto.h include/linux/netfilter/nf_conntrack_l3proto.h
--- include.orig/linux/netfilter/nf_conntrack_l3proto.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_l3proto.h 2005-05-06 22:27:57.000000000 +0200
-@@ -0,0 +1,92 @@
++++ include/linux/netfilter/nf_conntrack_l3proto.h 2005-08-02 20:02:17.713246784 +0200
+@@ -0,0 +1,93 @@
+/*
+ * Copyright (C)2003,2004 USAGI/WIDE Project
+ *
+
+#ifndef _NF_CONNTRACK_L3PROTO_H
+#define _NF_CONNTRACK_L3PROTO_H
++#include <linux/seq_file.h>
+#include <linux/netfilter/nf_conntrack.h>
+
+struct nf_conntrack_l3proto
+#endif /*_NF_CONNTRACK_L3PROTO_H*/
diff -uNr include.orig/linux/netfilter/nf_conntrack_protocol.h include/linux/netfilter/nf_conntrack_protocol.h
--- include.orig/linux/netfilter/nf_conntrack_protocol.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_protocol.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/nf_conntrack_protocol.h 2005-08-02 20:02:17.710247240 +0200
@@ -0,0 +1,105 @@
+/*
+ * Header for use in defining a given protocol for connection tracking.
+#endif /*_NF_CONNTRACK_PROTOCOL_H*/
diff -uNr include.orig/linux/netfilter/nf_conntrack_sctp.h include/linux/netfilter/nf_conntrack_sctp.h
--- include.orig/linux/netfilter/nf_conntrack_sctp.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_sctp.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/nf_conntrack_sctp.h 2005-08-02 20:02:17.701248608 +0200
@@ -0,0 +1,30 @@
+/*
+ * SCTP tracking.
+#endif /* _NF_CONNTRACK_SCTP_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack_tcp.h include/linux/netfilter/nf_conntrack_tcp.h
--- include.orig/linux/netfilter/nf_conntrack_tcp.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_tcp.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter/nf_conntrack_tcp.h 2005-08-02 20:02:17.681251648 +0200
@@ -0,0 +1,63 @@
+/*
+ * TCP tracking.
+#endif /* _NF_CONNTRACK_TCP_H */
diff -uNr include.orig/linux/netfilter/nf_conntrack_tuple.h include/linux/netfilter/nf_conntrack_tuple.h
--- include.orig/linux/netfilter/nf_conntrack_tuple.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nf_conntrack_tuple.h 2005-05-06 22:08:08.000000000 +0200
-@@ -0,0 +1,177 @@
++++ include/linux/netfilter/nf_conntrack_tuple.h 2005-08-02 20:02:17.704248152 +0200
+@@ -0,0 +1,201 @@
+/*
+ * Definitions and Declarations for tuple.
+ *
+ NF_CT_DIR_MAX
+};
+
++#ifdef __KERNEL__
++
++#define NF_CT_DUMP_TUPLE(tp) \
++DEBUGP("tuple %p: %u %u %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu -> %04x:%04x:%04x:%04x:%04x:%04x:%04x:%04x %hu\n", \
++ (tp), (tp)->src.l3num, (tp)->dst.protonum, \
++ NIP6(*(struct in6_addr *)(tp)->src.u3.all), ntohs((tp)->src.u.all), \
++ NIP6(*(struct in6_addr *)(tp)->dst.u3.all), ntohs((tp)->dst.u.all))
++
++#define NFCTINFO2DIR(ctinfo) ((ctinfo) >= NF_CT_IS_REPLY ? NF_CT_DIR_REPLY : NF_CT_DIR_ORIGINAL)
++
++/* If we're the first tuple, it's the original dir. */
++#define NF_CT_DIRECTION(h) \
++ ((enum nf_conntrack_dir)(h)->tuple.dst.dir)
++
++/* Connections have two entries in the hash table: one for each way */
++struct nf_conntrack_tuple_hash
++{
++ struct list_head list;
++
++ struct nf_conntrack_tuple tuple;
++};
++
++#endif /* __KERNEL__ */
++
+static inline int nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
+ const struct nf_conntrack_tuple *t2)
+{
+#endif /* _NF_CONNTRACK_TUPLE_H */
diff -uNr include.orig/linux/netfilter/nfnetlink.h include/linux/netfilter/nfnetlink.h
--- include.orig/linux/netfilter/nfnetlink.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter/nfnetlink.h 2005-05-06 22:08:24.000000000 +0200
-@@ -0,0 +1,61 @@
++++ include/linux/netfilter/nfnetlink.h 2005-08-02 20:02:17.715246480 +0200
+@@ -0,0 +1,145 @@
+#ifndef _NFNETLINK_H
+#define _NFNETLINK_H
+#include <linux/types.h>
+
++/* nfnetlink groups: Up to 32 maximum */
++#define NF_NETLINK_CONNTRACK_NEW 0x00000001
++#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
++#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
++#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
++#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
++#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
++
+/* Generic structure for encapsulation optional netfilter information.
+ * It is reminiscent of sockaddr, but with sa_family replaced
+ * with attribute type.
+
+struct nfattr
+{
-+ unsigned short nfa_len;
-+ unsigned short nfa_type;
++ u_int16_t nfa_len __attribute__ ((packed));
++ u_int16_t nfa_type __attribute__ ((packed));
+};
+
++/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time
++ * to put this in a generic file */
++
+#define NFA_ALIGNTO 4
+#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
+#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
+#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
+#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
+#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
++#define NFA_NEST(skb, type) \
++({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
++ NFA_PUT(skb, type, 0, NULL); \
++ __start; })
++#define NFA_NEST_END(skb, start) \
++({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
++ (skb)->len; })
++#define NFA_NEST_CANCEL(skb, start) \
++({ if (start) \
++ skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
++ -1; })
+
+/* General form of address family dependent message.
+ */
+struct nfgenmsg {
-+ unsigned char nfgen_family;
++ u_int8_t nfgen_family __attribute__ ((packed)); /* AF_xxx */
++ u_int8_t version __attribute__ ((packed)); /* nfnetlink version */
++ u_int16_t res_id __attribute__ ((packed)); /* resource id */
+};
+
++#define NFNETLINK_V1 1
++
+#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
+ + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
+#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
+
-+
-+#ifndef NETLINK_NETFILTER
-+#define NETLINK_NETFILTER 10
-+#endif
-+
+/* netfilter netlink message types are split in two pieces:
+ * 8 bit subsystem, 8bit operation.
+ */
+ NFNL_SUBSYS_COUNT,
+};
+
++#ifdef __KERNEL__
++
++#include <linux/capability.h>
++
++struct nfnl_callback
++{
++ kernel_cap_t cap_required; /* capabilities required for this msg */
++ int (*call)(struct sock *nl, struct sk_buff *skb,
++ struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
++};
++
++struct nfnetlink_subsystem
++{
++ const char *name;
++ __u8 subsys_id; /* nfnetlink subsystem ID */
++ __u8 cb_count; /* number of callbacks */
++ u_int32_t attr_count; /* number of nfattr's */
++ struct nfnl_callback *cb; /* callback for individual types */
++};
++
++extern void __nfa_fill(struct sk_buff *skb, int attrtype,
++ int attrlen, const void *data);
++#define NFA_PUT(skb, attrtype, attrlen, data) \
++({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
++ __nfa_fill(skb, attrtype, attrlen, data); })
++
++extern struct semaphore nfnl_sem;
++
++#define nfnl_shlock() down(&nfnl_sem)
++#define nfnl_shlock_nowait() down_trylock(&nfnl_sem)
++
++#define nfnl_shunlock() do { up(&nfnl_sem); \
++ if(nfnl && nfnl->sk_receive_queue.qlen) \
++ nfnl->sk_data_ready(nfnl, 0); \
++ } while(0)
++
++extern void nfnl_lock(void);
++extern void nfnl_unlock(void);
++
++extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n);
++extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n);
++
++extern int nfattr_parse(struct nfattr *tb[], int maxattr,
++ struct nfattr *nfa, int len);
++
++#define nfattr_parse_nested(tb, max, nfa) \
++ nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
++
++#define nfattr_bad_size(tb, max, cta_min) \
++({ int __i, __res = 0; \
++ for (__i=0; __i<max; __i++) \
++ if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \
++ __res = 1; \
++ break; \
++ } \
++ __res; \
++})
++
++extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
++ int echo);
++extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
++
++#endif /* __KERNEL__ */
+#endif /* _NFNETLINK_H */
-diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_amanda.h include/linux/netfilter_ipv4/ip_conntrack_amanda.h
---- include.orig/linux/netfilter_ipv4/ip_conntrack_amanda.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_amanda.h 2005-05-06 22:11:02.000000000 +0200
-@@ -2,10 +2,4 @@
- #define _IP_CONNTRACK_AMANDA_H
- /* AMANDA tracking. */
+diff -uNr include.orig/linux/netfilter.h include/linux/netfilter.h
+--- include.orig/linux/netfilter.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/netfilter.h 2005-08-02 20:02:17.658255144 +0200
+@@ -11,7 +11,7 @@
+ #define NF_MAX_VERDICT NF_STOP
+
+ /* Generic cache responses from hook functions.
+- <= 0x2000 is used for protocol-flags. */
++ <= 0x2000 is reserved for conntrack event cache. */
+ #define NFC_UNKNOWN 0x4000
+ #define NFC_ALTERED 0x8000
--struct ip_conntrack_expect;
--extern unsigned int (*ip_nat_amanda_hook)(struct sk_buff **pskb,
-- enum ip_conntrack_info ctinfo,
-- unsigned int matchoff,
-- unsigned int matchlen,
-- struct ip_conntrack_expect *exp);
- #endif /* _IP_CONNTRACK_AMANDA_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_core.h include/linux/netfilter_ipv4/ip_conntrack_core.h
--- include.orig/linux/netfilter_ipv4/ip_conntrack_core.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-05-06 22:20:05.000000000 +0200
-@@ -1,7 +1,6 @@
- #ifndef _IP_CONNTRACK_CORE_H
- #define _IP_CONNTRACK_CORE_H
- #include <linux/netfilter.h>
--#include <linux/netfilter_ipv4/lockhelp.h>
++++ include/linux/netfilter_ipv4/ip_conntrack_core.h 2005-08-02 20:02:17.749241312 +0200
+@@ -34,15 +34,26 @@
+ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
+ const struct ip_conntrack *ignored_conntrack);
+
++struct ip_conntrack_tuple_hash *
++__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
++ const struct ip_conntrack *ignored_conntrack);
++
++struct ip_conntrack_expect *
++__ip_conntrack_exp_find(const struct ip_conntrack_tuple *tuple);
++
+ extern int __ip_conntrack_confirm(struct sk_buff **pskb);
- /* This header is used to share core functionality between the
- standalone connection tracking module, and the compatibility layer's use
-@@ -39,10 +38,14 @@
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
static inline int ip_conntrack_confirm(struct sk_buff **pskb)
{
}
extern struct list_head *ip_conntrack_hash;
-diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_ftp.h include/linux/netfilter_ipv4/ip_conntrack_ftp.h
---- include.orig/linux/netfilter_ipv4/ip_conntrack_ftp.h 2005-03-26 19:58:02.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_ftp.h 2005-05-06 22:11:20.000000000 +0200
-@@ -2,8 +2,6 @@
- #define _IP_CONNTRACK_FTP_H
- /* FTP tracking. */
-
--#include <asm/types.h>
--
- enum ip_ct_ftp_type
- {
- /* PORT command from client */
-@@ -25,15 +23,4 @@
- int seq_aft_nl_num[IP_CT_DIR_MAX];
- };
-
--struct ip_conntrack_expect;
--
--/* For NAT to hook in when we find a packet which describes what other
-- * connection we should expect. */
--extern unsigned int (*ip_nat_ftp_hook)(struct sk_buff **pskb,
-- enum ip_conntrack_info ctinfo,
-- enum ip_ct_ftp_type type,
-- unsigned int matchoff,
-- unsigned int matchlen,
-- struct ip_conntrack_expect *exp,
-- __u32 *seq);
- #endif /* _IP_CONNTRACK_FTP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack.h include/linux/netfilter_ipv4/ip_conntrack.h
--- include.orig/linux/netfilter_ipv4/ip_conntrack.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack.h 2005-05-06 23:16:27.000000000 +0200
-@@ -65,6 +65,100 @@
++++ include/linux/netfilter_ipv4/ip_conntrack.h 2005-08-02 20:05:38.525718648 +0200
+@@ -65,6 +65,63 @@
/* Both together */
IPS_NAT_DONE_MASK = (IPS_DST_NAT_DONE | IPS_SRC_NAT_DONE),
+enum ip_conntrack_expect_events {
+ IPEXP_NEW_BIT = 0,
+ IPEXP_NEW = (1 << IPEXP_NEW_BIT),
-+};
-+
-+struct ip_conntrack_counter
-+{
-+ u_int64_t packets;
-+ u_int64_t bytes;
-+};
-+
-+#include <linux/netfilter_ipv4/ip_conntrack_tuple.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_tcp.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_icmp.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_sctp.h>
-+
-+/* per conntrack: protocol private data */
-+union ip_conntrack_proto {
-+ /* insert conntrack proto private data here */
-+ struct ip_ct_sctp sctp;
-+ struct ip_ct_tcp tcp;
-+ struct ip_ct_icmp icmp;
-+};
-+
-+union ip_conntrack_expect_proto {
-+ /* insert expect proto private data here */
-+};
-+
-+/* Add protocol helper include file here */
-+#include <linux/netfilter_ipv4/ip_conntrack_mms.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_h323.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_amanda.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_ftp.h>
-+#include <linux/netfilter_ipv4/ip_conntrack_irc.h>
-+
-+/* per conntrack: application helper private data */
-+union ip_conntrack_help {
-+ /* insert conntrack helper private data (master) here */
-+ struct ip_ct_ftp_master ct_ftp_info;
-+ struct ip_ct_irc_master ct_irc_info;
};
#endif /* _IP_CONNTRACK_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h include/linux/netfilter_ipv4/ip_conntrack_h323.h
--- include.orig/linux/netfilter_ipv4/ip_conntrack_h323.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-05-06 22:11:32.000000000 +0200
-@@ -0,0 +1,5 @@
++++ include/linux/netfilter_ipv4/ip_conntrack_h323.h 2005-08-02 20:02:17.725244960 +0200
+@@ -0,0 +1,38 @@
+#ifndef _IP_CONNTRACK_H323_H
+#define _IP_CONNTRACK_H323_H
+/* H.323 connection tracking. */
+
-+#endif /* _IP_CONNTRACK_H323_H */
-diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_helper.h include/linux/netfilter_ipv4/ip_conntrack_helper.h
---- include.orig/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_helper.h 2005-05-06 09:24:35.000000000 +0200
-@@ -9,6 +9,8 @@
- {
- struct list_head list; /* Internal use. */
-
-+ spinlock_t *lock; /* protect private info and buffer */
++#ifdef __KERNEL__
+
- const char *name; /* name of the module */
- struct module *me; /* pointer to self */
- unsigned int max_expected; /* Maximum number of concurrent
-@@ -24,6 +26,8 @@
- int (*help)(struct sk_buff **pskb,
- struct ip_conntrack *ct,
- enum ip_conntrack_info conntrackinfo);
++/* Default H.225 port */
++#define H225_PORT 1720
+
-+ void (*change_help)(struct ip_conntrack *, union ip_conntrack_help *);
- };
-
- extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
-@@ -38,4 +42,7 @@
- extern int ip_conntrack_expect_related(struct ip_conntrack_expect *exp);
- extern void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp);
-
-+extern void ip_ct_generic_change_help(struct ip_conntrack *ct,
-+ union ip_conntrack_help *h);
++struct ip_conntrack_expect;
++struct ip_conntrack;
++struct ip_conntrack_helper;
+
- #endif /*_IP_CONNTRACK_HELPER_H*/
-diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h include/linux/netfilter_ipv4/ip_conntrack_mms.h
---- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-05-06 22:12:08.000000000 +0200
-@@ -0,0 +1,5 @@
-+#ifndef _IP_CONNTRACK_MMS_H
-+#define _IP_CONNTRACK_MMS_H
-+/* MMS tracking. */
++extern int (*ip_nat_h245_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ struct ip_conntrack_expect *exp);
+
-+#endif /* _IP_CONNTRACK_MMS_H */
-diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_netlink.h include/linux/netfilter_ipv4/ip_conntrack_netlink.h
---- include.orig/linux/netfilter_ipv4/ip_conntrack_netlink.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_netlink.h 2005-05-06 09:24:35.000000000 +0200
-@@ -0,0 +1,113 @@
-+#ifndef _NFNETLINK_CONNTRACK_H
-+#define _NFNETLINK_CONNTRACK_H
-+#include <linux/netfilter/nfnetlink.h>
-+#include <linux/netfilter_ipv4/ip_conntrack.h>
-+
-+/* CTNETLINK for ip_conntrack */
-+
-+/* TODO: Add more message types:
-+ *
-+ * o IPCTNL_MSG_UPDCONNTRACK, update conntracks
-+ */
-+enum cntl_msg_types {
-+ IPCTNL_MSG_CT_NEW,
-+ IPCTNL_MSG_CT_GET,
-+ IPCTNL_MSG_CT_DELETE,
-+ IPCTNL_MSG_CT_GET_CTRZERO,
-+ IPCTNL_MSG_CT_FLUSH,
++extern int (*ip_nat_h225_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ struct ip_conntrack_expect *exp);
+
-+ IPCTNL_MSG_EXP_NEW,
-+ IPCTNL_MSG_EXP_GET,
-+ IPCTNL_MSG_EXP_DELETE,
++extern void (*ip_nat_h225_signal_hook)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ unsigned int offset,
++ int dir,
++ int orig_dir);
+
-+ IPCTNL_MSG_CONFIG,
-+ IPCTNL_MSG_COUNT,
-+};
-+
-+enum ctnl_dump_mask {
-+ DUMP_TUPLE_BIT = 0,
-+ DUMP_TUPLE = (1 << DUMP_TUPLE_BIT),
++extern struct ip_conntrack_helper ip_conntrack_helper_h225;
+
-+ DUMP_STATUS_BIT = 1,
-+ DUMP_STATUS = (1 << DUMP_STATUS_BIT),
++void ip_conntrack_h245_expect(struct ip_conntrack *new,
++ struct ip_conntrack_expect *this);
+
-+ DUMP_TIMEOUT_BIT = 2,
-+ DUMP_TIMEOUT = (1 << DUMP_TIMEOUT_BIT),
++#endif /* __KERNEL__ */
+
-+ DUMP_PROTOINFO_BIT = 3,
-+ DUMP_PROTOINFO = (1 << DUMP_PROTOINFO_BIT),
++#endif /* _IP_CONNTRACK_H323_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h include/linux/netfilter_ipv4/ip_conntrack_mms.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_mms.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_mms.h 2005-08-02 20:02:17.774237512 +0200
+@@ -0,0 +1,36 @@
++#ifndef _IP_CONNTRACK_MMS_H
++#define _IP_CONNTRACK_MMS_H
++/* MMS tracking. */
+
-+ DUMP_HELPINFO_BIT = 4,
-+ DUMP_HELPINFO = (1 << DUMP_HELPINFO_BIT),
++#ifdef __KERNEL__
+
-+ DUMP_COUNTERS_BIT = 5,
-+ DUMP_COUNTERS = (1 << DUMP_COUNTERS_BIT),
++extern spinlock_t ip_mms_lock;
+
-+ DUMP_MARK_BIT = 6,
-+ DUMP_MARK = (1 << DUMP_MARK_BIT),
-+};
++#define MMS_PORT 1755
++#define MMS_SRV_MSG_ID 196610
+
-+/* ctnetlink attribute types.
-+ */
++#define MMS_SRV_MSG_OFFSET 36
++#define MMS_SRV_UNICODE_STRING_OFFSET 60
++#define MMS_SRV_CHUNKLENLV_OFFSET 16
++#define MMS_SRV_CHUNKLENLM_OFFSET 32
++#define MMS_SRV_MESSAGELENGTH_OFFSET 8
+
-+enum ctattr_type_t
-+{
-+ CTA_UNSPEC, /* [none] I don't know (unspecified). */
-+ CTA_ORIG, /* [ip_conntrack_tuple] Original tuple. */
-+ CTA_RPLY, /* [ip_conntrack_tuple] Reply tuple. */
-+ CTA_STATUS, /* [unsigned long] Status of connection. */
-+ CTA_PROTOINFO, /* [cta_proto] Protocol specific ct information. */
-+ CTA_HELPINFO, /* [cta_help] Helper specific information. */
-+ CTA_TIMEOUT, /* [unsigned long] timer */
-+ CTA_MARK, /* [unsigned long] mark .*/
-+ CTA_COUNTERS, /* [cta_counters] packet/byte counters */
-+ CTA_DUMPMASK, /* [unsigned int] mask for table dumping */
-+ CTA_EVENTMASK, /* [unsigned int] mask for event notification */
-+
-+ CTA_EXP_TUPLE, /* [ip_conntrack_tuple] Expected tuple */
-+ CTA_EXP_MASK, /* [ip_conntrack_tuple] Mask for EXP_TUPLE */
-+ CTA_EXP_SEQNO, /* [u_int32_t] sequence number */
-+ CTA_EXP_PROTO, /* [cta_exp_proto] */
-+ CTA_EXP_TIMEOUT,/* [unsigned long] timer */
++/* This structure is per expected connection */
++struct ip_ct_mms_expect {
++ u_int32_t offset;
++ u_int32_t len;
++ u_int32_t padding;
++ u_int16_t port;
++};
+
-+ CTA_MAX = CTA_EXP_TIMEOUT
++/* This structure exists only once per master */
++struct ip_ct_mms_master {
+};
+
-+/* Attribute specific data structures.
-+ */
++struct ip_conntrack_expect;
++extern unsigned int (*ip_nat_mms_hook)(struct sk_buff **pskb,
++ enum ip_conntrack_info ctinfo,
++ const struct ip_ct_mms_expect *exp_mms_info,
++ struct ip_conntrack_expect *exp);
++#endif
++#endif /* _IP_CONNTRACK_MMS_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h include/linux/netfilter_ipv4/ip_conntrack_pptp.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_pptp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_pptp.h 2005-08-02 20:02:17.800233560 +0200
+@@ -0,0 +1,336 @@
++/* PPTP constants and structs */
++#ifndef _CONNTRACK_PPTP_H
++#define _CONNTRACK_PPTP_H
+
-+struct cta_proto {
-+ unsigned char num_proto; /* Protocol number IPPROTO_X */
-+ union ip_conntrack_proto proto;
++/* state of the control session */
++enum pptp_ctrlsess_state {
++ PPTP_SESSION_NONE, /* no session present */
++ PPTP_SESSION_ERROR, /* some session error */
++ PPTP_SESSION_STOPREQ, /* stop_sess request seen */
++ PPTP_SESSION_REQUESTED, /* start_sess request seen */
++ PPTP_SESSION_CONFIRMED, /* session established */
+};
+
-+#define CTA_HELP_MAXNAMESZ 31
++/* state of the call inside the control session */
++enum pptp_ctrlcall_state {
++ PPTP_CALL_NONE,
++ PPTP_CALL_ERROR,
++ PPTP_CALL_OUT_REQ,
++ PPTP_CALL_OUT_CONF,
++ PPTP_CALL_IN_REQ,
++ PPTP_CALL_IN_REP,
++ PPTP_CALL_IN_CONF,
++ PPTP_CALL_CLEAR_REQ,
++};
++
++
++/* conntrack private data */
++struct ip_ct_pptp_master {
++ enum pptp_ctrlsess_state sstate; /* session state */
++
++ /* everything below is going to be per-expectation in newnat,
++ * since there could be more than one call within one session */
++ enum pptp_ctrlcall_state cstate; /* call state */
++ u_int16_t pac_call_id; /* call id of PAC, host byte order */
++ u_int16_t pns_call_id; /* call id of PNS, host byte order */
++
++ /* in pre-2.6.11 this used to be per-expect. Now it is per-conntrack
++ * and therefore imposes a fixed limit on the number of maps */
++ struct ip_ct_gre_keymap *keymap_orig, *keymap_reply;
++};
++
++/* conntrack_expect private member */
++struct ip_ct_pptp_expect {
++ enum pptp_ctrlcall_state cstate; /* call state */
++ u_int16_t pac_call_id; /* call id of PAC */
++ u_int16_t pns_call_id; /* call id of PNS */
++};
++
++
++#ifdef __KERNEL__
++
++
++#include <linux/netfilter_ipv4/lockhelp.h>
++DECLARE_LOCK_EXTERN(ip_pptp_lock);
++
++#define IP_CONNTR_PPTP PPTP_CONTROL_PORT
++
++#define PPTP_CONTROL_PORT 1723
++
++#define PPTP_PACKET_CONTROL 1
++#define PPTP_PACKET_MGMT 2
++
++#define PPTP_MAGIC_COOKIE 0x1a2b3c4d
+
-+struct cta_help {
-+ char name[CTA_HELP_MAXNAMESZ]; /* name of conntrack helper */
-+ union ip_conntrack_help help;
++struct pptp_pkt_hdr {
++ __u16 packetLength;
++ __u16 packetType;
++ __u32 magicCookie;
+};
+
-+struct cta_exp_proto {
-+ union ip_conntrack_expect_proto proto;
-+};
++/* PptpControlMessageType values */
++#define PPTP_START_SESSION_REQUEST 1
++#define PPTP_START_SESSION_REPLY 2
++#define PPTP_STOP_SESSION_REQUEST 3
++#define PPTP_STOP_SESSION_REPLY 4
++#define PPTP_ECHO_REQUEST 5
++#define PPTP_ECHO_REPLY 6
++#define PPTP_OUT_CALL_REQUEST 7
++#define PPTP_OUT_CALL_REPLY 8
++#define PPTP_IN_CALL_REQUEST 9
++#define PPTP_IN_CALL_REPLY 10
++#define PPTP_IN_CALL_CONNECT 11
++#define PPTP_CALL_CLEAR_REQUEST 12
++#define PPTP_CALL_DISCONNECT_NOTIFY 13
++#define PPTP_WAN_ERROR_NOTIFY 14
++#define PPTP_SET_LINK_INFO 15
+
-+struct cta_counters {
-+ struct ip_conntrack_counter orig;
-+ struct ip_conntrack_counter reply;
++#define PPTP_MSG_MAX 15
++
++/* PptpGeneralError values */
++#define PPTP_ERROR_CODE_NONE 0
++#define PPTP_NOT_CONNECTED 1
++#define PPTP_BAD_FORMAT 2
++#define PPTP_BAD_VALUE 3
++#define PPTP_NO_RESOURCE 4
++#define PPTP_BAD_CALLID 5
++#define PPTP_REMOVE_DEVICE_ERROR 6
++
++struct PptpControlHeader {
++ __u16 messageType;
++ __u16 reserved;
++};
++
++/* FramingCapability Bitmap Values */
++#define PPTP_FRAME_CAP_ASYNC 0x1
++#define PPTP_FRAME_CAP_SYNC 0x2
++
++/* BearerCapability Bitmap Values */
++#define PPTP_BEARER_CAP_ANALOG 0x1
++#define PPTP_BEARER_CAP_DIGITAL 0x2
++
++struct PptpStartSessionRequest {
++ __u16 protocolVersion;
++ __u8 reserved1;
++ __u8 reserved2;
++ __u32 framingCapability;
++ __u32 bearerCapability;
++ __u16 maxChannels;
++ __u16 firmwareRevision;
++ __u8 hostName[64];
++ __u8 vendorString[64];
++};
++
++/* PptpStartSessionResultCode Values */
++#define PPTP_START_OK 1
++#define PPTP_START_GENERAL_ERROR 2
++#define PPTP_START_ALREADY_CONNECTED 3
++#define PPTP_START_NOT_AUTHORIZED 4
++#define PPTP_START_UNKNOWN_PROTOCOL 5
++
++struct PptpStartSessionReply {
++ __u16 protocolVersion;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u32 framingCapability;
++ __u32 bearerCapability;
++ __u16 maxChannels;
++ __u16 firmwareRevision;
++ __u8 hostName[64];
++ __u8 vendorString[64];
++};
++
++/* PptpStopReasons */
++#define PPTP_STOP_NONE 1
++#define PPTP_STOP_PROTOCOL 2
++#define PPTP_STOP_LOCAL_SHUTDOWN 3
++
++struct PptpStopSessionRequest {
++ __u8 reason;
++};
++
++/* PptpStopSessionResultCode */
++#define PPTP_STOP_OK 1
++#define PPTP_STOP_GENERAL_ERROR 2
++
++struct PptpStopSessionReply {
++ __u8 resultCode;
++ __u8 generalErrorCode;
++};
++
++struct PptpEchoRequest {
++ __u32 identNumber;
++};
++
++/* PptpEchoReplyResultCode */
++#define PPTP_ECHO_OK 1
++#define PPTP_ECHO_GENERAL_ERROR 2
++
++struct PptpEchoReply {
++ __u32 identNumber;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 reserved;
++};
++
++/* PptpFramingType */
++#define PPTP_ASYNC_FRAMING 1
++#define PPTP_SYNC_FRAMING 2
++#define PPTP_DONT_CARE_FRAMING 3
++
++/* PptpCallBearerType */
++#define PPTP_ANALOG_TYPE 1
++#define PPTP_DIGITAL_TYPE 2
++#define PPTP_DONT_CARE_BEARER_TYPE 3
++
++struct PptpOutCallRequest {
++ __u16 callID;
++ __u16 callSerialNumber;
++ __u32 minBPS;
++ __u32 maxBPS;
++ __u32 bearerType;
++ __u32 framingType;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u16 reserved1;
++ __u16 phoneNumberLength;
++ __u16 reserved2;
++ __u8 phoneNumber[64];
++ __u8 subAddress[64];
++};
++
++/* PptpCallResultCode */
++#define PPTP_OUTCALL_CONNECT 1
++#define PPTP_OUTCALL_GENERAL_ERROR 2
++#define PPTP_OUTCALL_NO_CARRIER 3
++#define PPTP_OUTCALL_BUSY 4
++#define PPTP_OUTCALL_NO_DIAL_TONE 5
++#define PPTP_OUTCALL_TIMEOUT 6
++#define PPTP_OUTCALL_DONT_ACCEPT 7
++
++struct PptpOutCallReply {
++ __u16 callID;
++ __u16 peersCallID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 causeCode;
++ __u32 connectSpeed;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u32 physChannelID;
++};
++
++struct PptpInCallRequest {
++ __u16 callID;
++ __u16 callSerialNumber;
++ __u32 callBearerType;
++ __u32 physChannelID;
++ __u16 dialedNumberLength;
++ __u16 dialingNumberLength;
++ __u8 dialedNumber[64];
++ __u8 dialingNumber[64];
++ __u8 subAddress[64];
++};
++
++/* PptpInCallResultCode */
++#define PPTP_INCALL_ACCEPT 1
++#define PPTP_INCALL_GENERAL_ERROR 2
++#define PPTP_INCALL_DONT_ACCEPT 3
++
++struct PptpInCallReply {
++ __u16 callID;
++ __u16 peersCallID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u16 reserved;
++};
++
++struct PptpInCallConnected {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 connectSpeed;
++ __u16 packetWindow;
++ __u16 packetProcDelay;
++ __u32 callFramingType;
++};
++
++struct PptpClearCallRequest {
++ __u16 callID;
++ __u16 reserved;
++};
++
++struct PptpCallDisconnectNotify {
++ __u16 callID;
++ __u8 resultCode;
++ __u8 generalErrorCode;
++ __u16 causeCode;
++ __u16 reserved;
++ __u8 callStatistics[128];
++};
++
++struct PptpWanErrorNotify {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 crcErrors;
++ __u32 framingErrors;
++ __u32 hardwareOverRuns;
++ __u32 bufferOverRuns;
++ __u32 timeoutErrors;
++ __u32 alignmentErrors;
++};
++
++struct PptpSetLinkInfo {
++ __u16 peersCallID;
++ __u16 reserved;
++ __u32 sendAccm;
++ __u32 recvAccm;
++};
++
++
++struct pptp_priv_data {
++ __u16 call_id;
++ __u16 mcall_id;
++ __u16 pcall_id;
++};
++
++union pptp_ctrl_union {
++ struct PptpStartSessionRequest sreq;
++ struct PptpStartSessionReply srep;
++ struct PptpStopSessionRequest streq;
++ struct PptpStopSessionReply strep;
++ struct PptpOutCallRequest ocreq;
++ struct PptpOutCallReply ocack;
++ struct PptpInCallRequest icreq;
++ struct PptpInCallReply icack;
++ struct PptpInCallConnected iccon;
++ struct PptpClearCallRequest clrreq;
++ struct PptpCallDisconnectNotify disc;
++ struct PptpWanErrorNotify wanerr;
++ struct PptpSetLinkInfo setlink;
+};
+
-+/* ctnetlink multicast groups: reports any change of ctinfo,
-+ * ctstatus, or protocol state change.
-+ */
-+#define NFGRP_IPV4_CT_TCP 0x01
-+#define NFGRP_IPV4_CT_UDP 0x02
-+#define NFGRP_IPV4_CT_ICMP 0x04
-+#define NFGRP_IPV4_CT_OTHER 0x08
++extern int
++(*ip_nat_pptp_hook_outbound)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ struct PptpControlHeader *ctlh,
++ union pptp_ctrl_union *pptpReq);
+
-+#define NFGRP_IPV6_CT_TCP 0x10
-+#define NFGRP_IPV6_CT_UDP 0x20
-+#define NFGRP_IPV6_CT_ICMP 0x40
-+#define NFGRP_IPV6_CT_OTHER 0x80
++extern int
++(*ip_nat_pptp_hook_inbound)(struct sk_buff **pskb,
++ struct ip_conntrack *ct,
++ enum ip_conntrack_info ctinfo,
++ struct PptpControlHeader *ctlh,
++ union pptp_ctrl_union *pptpReq);
+
-+#endif /* _NFNETLINK_CONNTRACK_H */
++extern int
++(*ip_nat_pptp_hook_exp_gre)(struct ip_conntrack_expect *exp_orig,
++ struct ip_conntrack_expect *exp_reply);
++
++extern void
++(*ip_nat_pptp_hook_expectfn)(struct ip_conntrack *ct,
++ struct ip_conntrack_expect *exp);
++#endif /* __KERNEL__ */
++#endif /* _CONNTRACK_PPTP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h include/linux/netfilter_ipv4/ip_conntrack_protocol.h
--- include.orig/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-05-06 09:24:35.000000000 +0200
-@@ -10,6 +10,8 @@
- /* Protocol number. */
- u_int8_t proto;
-
-+ rwlock_t *lock;
-+
- /* Protocol name */
- const char *name;
-
-@@ -34,7 +36,7 @@
++++ include/linux/netfilter_ipv4/ip_conntrack_protocol.h 2005-08-02 20:02:17.753240704 +0200
+@@ -34,7 +34,7 @@
/* Returns verdict for packet, or -1 for invalid. */
int (*packet)(struct ip_conntrack *conntrack,
enum ip_conntrack_info ctinfo);
/* Called when a new connection for this protocol found;
-@@ -47,6 +49,17 @@
- int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
- unsigned int hooknum);
-
-+ /* check if tuples are valid for a new connection */
-+ int (*change_check_tuples)(struct ip_conntrack_tuple *orig,
-+ struct ip_conntrack_tuple *reply);
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_proto_gre.h 2005-08-02 20:02:17.718246024 +0200
+@@ -0,0 +1,114 @@
++#ifndef _CONNTRACK_PROTO_GRE_H
++#define _CONNTRACK_PROTO_GRE_H
++#include <asm/byteorder.h>
++
++/* GRE PROTOCOL HEADER */
++
++/* GRE Version field */
++#define GRE_VERSION_1701 0x0
++#define GRE_VERSION_PPTP 0x1
++
++/* GRE Protocol field */
++#define GRE_PROTOCOL_PPTP 0x880B
++
++/* GRE Flags */
++#define GRE_FLAG_C 0x80
++#define GRE_FLAG_R 0x40
++#define GRE_FLAG_K 0x20
++#define GRE_FLAG_S 0x10
++#define GRE_FLAG_A 0x80
++
++#define GRE_IS_C(f) ((f)&GRE_FLAG_C)
++#define GRE_IS_R(f) ((f)&GRE_FLAG_R)
++#define GRE_IS_K(f) ((f)&GRE_FLAG_K)
++#define GRE_IS_S(f) ((f)&GRE_FLAG_S)
++#define GRE_IS_A(f) ((f)&GRE_FLAG_A)
++
++/* GRE is a mess: Four different standards */
++struct gre_hdr {
++#if defined(__LITTLE_ENDIAN_BITFIELD)
++ __u16 rec:3,
++ srr:1,
++ seq:1,
++ key:1,
++ routing:1,
++ csum:1,
++ version:3,
++ reserved:4,
++ ack:1;
++#elif defined(__BIG_ENDIAN_BITFIELD)
++ __u16 csum:1,
++ routing:1,
++ key:1,
++ seq:1,
++ srr:1,
++ rec:3,
++ ack:1,
++ reserved:4,
++ version:3;
++#else
++#error "Adjust your <asm/byteorder.h> defines"
++#endif
++ __u16 protocol;
++};
+
-+ /* check protocol data is valid */
-+ int (*change_check_proto)(union ip_conntrack_proto *p);
++/* modified GRE header for PPTP */
++struct gre_hdr_pptp {
++ __u8 flags; /* bitfield */
++ __u8 version; /* should be GRE_VERSION_PPTP */
++ __u16 protocol; /* should be GRE_PROTOCOL_PPTP */
++ __u16 payload_len; /* size of ppp payload, not inc. gre header */
++ __u16 call_id; /* peer's call_id for this session */
++ __u32 seq; /* sequence number. Present if S==1 */
++ __u32 ack; /* seq number of highest packet recieved by */
++ /* sender in this session */
++};
+
-+ /* change protocol info on behalf of ctnetlink */
-+ void (*change_proto)(struct ip_conntrack *ct,
-+ union ip_conntrack_proto *p);
-+
- /* Module (if any) which this is connected to. */
- struct module *me;
- };
-@@ -57,6 +70,8 @@
- /* Protocol registration. */
- extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
- extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
-+extern void ip_ct_generic_change_proto(struct ip_conntrack *conntrack,
-+ union ip_conntrack_proto *p);
-
- static inline struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
- {
-diff -uNr include.orig/linux/netfilter_ipv4/ip_logging.h include/linux/netfilter_ipv4/ip_logging.h
---- include.orig/linux/netfilter_ipv4/ip_logging.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_logging.h 2005-05-06 22:12:26.000000000 +0200
-@@ -0,0 +1,5 @@
-+/* IPv4 macros for the internal logging interface. */
-+#ifndef __IP_LOGGING_H
-+#define __IP_LOGGING_H
-+
-+#endif /*__IP_LOGGING_H*/
-diff -uNr include.orig/linux/netfilter_ipv4/ip_nat.h include/linux/netfilter_ipv4/ip_nat.h
---- include.orig/linux/netfilter_ipv4/ip_nat.h 2005-03-25 01:06:43.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_nat.h 2005-05-06 22:13:06.000000000 +0200
-@@ -39,33 +39,15 @@
- union ip_conntrack_manip_proto min, max;
- };
-
--/* A range consists of an array of 1 or more ip_nat_range */
-+/* For backwards compat: don't use in modern code. */
- struct ip_nat_multi_range_compat
- {
-- unsigned int rangesize;
-+ unsigned int rangesize; /* Must be 1. */
-
- /* hangs off end. */
- struct ip_nat_range range[1];
++
++/* this is part of ip_conntrack */
++struct ip_ct_gre {
++ unsigned int stream_timeout;
++ unsigned int timeout;
++};
++
++#ifdef __KERNEL__
++struct ip_conntrack_expect;
++struct ip_conntrack;
++
++/* structure for original <-> reply keymap */
++struct ip_ct_gre_keymap {
++ struct list_head list;
++
++ struct ip_conntrack_tuple tuple;
++};
++
++/* add new tuple->key_reply pair to keymap */
++int ip_ct_gre_keymap_add(struct ip_conntrack *ct,
++ struct ip_conntrack_tuple *t,
++ int reply);
++
++/* delete keymap entries */
++void ip_ct_gre_keymap_destroy(struct ip_conntrack *ct);
++
++
++/* get pointer to gre key, if present */
++static inline u_int32_t *gre_key(struct gre_hdr *greh)
++{
++ if (!greh->key)
++ return NULL;
++ if (greh->csum || greh->routing)
++ return (u_int32_t *) (greh+sizeof(*greh)+4);
++ return (u_int32_t *) (greh+sizeof(*greh));
++}
++
++/* get pointer ot gre csum, if present */
++static inline u_int16_t *gre_csum(struct gre_hdr *greh)
++{
++ if (!greh->csum)
++ return NULL;
++ return (u_int16_t *) (greh+sizeof(*greh));
++}
++
++#endif /* __KERNEL__ */
++
++#endif /* _CONNTRACK_PROTO_GRE_H */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h include/linux/netfilter_ipv4/ip_conntrack_quake3.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_quake3.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_quake3.h 2005-08-02 20:02:17.771237968 +0200
+@@ -0,0 +1,22 @@
++#ifndef _IP_CT_QUAKE3
++#define _IP_CT_QUAKE3
++
++/* Don't confuse with 27960, often used as the Server Port */
++#define QUAKE3_MASTER_PORT 27950
++
++struct quake3_search {
++ const char marker[4]; /* always 0xff 0xff 0xff 0xff ? */
++ const char *pattern;
++ size_t plen;
++};
++
++/* This structure is per expected connection */
++struct ip_ct_quake3_expect {
++};
++
++/* This structure exists only once per master */
++struct ip_ct_quake3_master {
++};
++
++extern unsigned int (*ip_nat_quake3_hook)(struct ip_conntrack_expect *exp);
++#endif /* _IP_CT_QUAKE3 */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h include/linux/netfilter_ipv4/ip_conntrack_tuple.h
+--- include.orig/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-03-13 21:53:55.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_conntrack_tuple.h 2005-08-02 20:02:17.807232496 +0200
+@@ -28,6 +28,9 @@
+ struct {
+ u_int16_t port;
+ } sctp;
++ struct {
++ u_int16_t key; /* key is 32bit, pptp onky uses 16 */
++ } gre;
};
--/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */
--#define IP_NAT_MAX_MANIPS (2*3)
--
--struct ip_nat_info_manip
--{
-- /* The direction. */
-- u_int8_t direction;
--
-- /* Which hook the manipulation happens on. */
-- u_int8_t hooknum;
--
-- /* The manipulation type. */
-- u_int8_t maniptype;
--
-- /* Manipulations to occur at each conntrack in this dirn. */
-- struct ip_conntrack_manip manip;
--};
--
- #define ip_nat_multi_range ip_nat_multi_range_compat
+ /* The manipulable part of the tuple. */
+@@ -61,6 +64,9 @@
+ struct {
+ u_int16_t port;
+ } sctp;
++ struct {
++ u_int16_t key;
++ } gre;
+ } u;
- #endif
+ /* The protocol. */
+diff -uNr include.orig/linux/netfilter_ipv4/ip_nat_pptp.h include/linux/netfilter_ipv4/ip_nat_pptp.h
+--- include.orig/linux/netfilter_ipv4/ip_nat_pptp.h 1970-01-01 01:00:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ip_nat_pptp.h 2005-08-02 20:02:17.767238576 +0200
+@@ -0,0 +1,11 @@
++/* PPTP constants and structs */
++#ifndef _NAT_PPTP_H
++#define _NAT_PPTP_H
++
++/* conntrack private data */
++struct ip_nat_pptp {
++ u_int16_t pns_call_id; /* NAT'ed PNS call id */
++ u_int16_t pac_call_id; /* NAT'ed PAC call id */
++};
++
++#endif /* _NAT_PPTP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_queue.h include/linux/netfilter_ipv4/ip_queue.h
--- include.orig/linux/netfilter_ipv4/ip_queue.h 2004-10-31 20:56:03.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_queue.h 2005-05-06 22:13:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_queue.h 2005-08-02 20:02:17.823230064 +0200
@@ -39,10 +39,20 @@
unsigned char payload[0]; /* Optional replacement packet */
} ipq_verdict_msg_t;
union {
ipq_verdict_msg_t verdict;
ipq_mode_msg_t mode;
-+ ipq_vwmark_msg_t vwmark;
++ ipq_vwmark_msg_t vwmark;
} msg;
} ipq_peer_msg_t;
#endif /*_IP_QUEUE_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ip_set.h include/linux/netfilter_ipv4/ip_set.h
--- include.orig/linux/netfilter_ipv4/ip_set.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set.h 2005-05-06 22:13:48.000000000 +0200
-@@ -0,0 +1,293 @@
++++ include/linux/netfilter_ipv4/ip_set.h 2005-08-02 20:02:17.828229304 +0200
+@@ -0,0 +1,489 @@
+#ifndef _IP_SET_H
+#define _IP_SET_H
+
+ return 4 * ((((b - a + 8) / 8) + 3) / 4);
+}
+
++#ifdef __KERNEL__
++
++#define ip_set_printk(format, args...) \
++ do { \
++ printk("%s: %s: ", __FILE__, __FUNCTION__); \
++ printk(format "\n" , ## args); \
++ } while (0)
++
++#if defined(IP_SET_DEBUG)
++#define DP(format, args...) \
++ do { \
++ printk("%s: %s (DBG): ", __FILE__, __FUNCTION__);\
++ printk(format "\n" , ## args); \
++ } while (0)
++#define IP_SET_ASSERT(x) \
++ do { \
++ if (!(x)) \
++ printk("IP_SET_ASSERT: %s:%i(%s)\n", \
++ __FILE__, __LINE__, __FUNCTION__); \
++ } while (0)
++#else
++#define DP(format, args...)
++#define IP_SET_ASSERT(x)
++#endif
++
++struct ip_set;
++
++/*
++ * The ip_set_type definition - one per set type, e.g. "ipmap".
++ *
++ * Each individual set has a pointer, set->type, going to one
++ * of these structures. Function pointers inside the structure implement
++ * the real behaviour of the sets.
++ *
++ * If not mentioned differently, the implementation behind the function
++ * pointers of a set_type, is expected to return 0 if ok, and a negative
++ * errno (e.g. -EINVAL) on error.
++ */
++struct ip_set_type {
++ struct list_head list; /* next in list of set types */
++
++ /* test for IP in set (kernel: iptables -m set src|dst)
++ * return 0 if not in set, 1 if in set.
++ */
++ int (*testip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* test for IP in set (userspace: ipset -T set IP)
++ * return 0 if not in set, 1 if in set.
++ */
++ int (*testip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /*
++ * Size of the data structure passed by when
++ * adding/deletin/testing an entry.
++ */
++ size_t reqsize;
++
++ /* Add IP into set (userspace: ipset -A set IP)
++ * Return -EEXIST if the address is already in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address was not already in the set, 0 is returned.
++ */
++ int (*addip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /* Add IP into set (kernel: iptables ... -j SET set src|dst)
++ * Return -EEXIST if the address is already in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address was not already in the set, 0 is returned.
++ */
++ int (*addip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* remove IP from set (userspace: ipset -D set --entry x)
++ * Return -EEXIST if the address is NOT in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address really was in the set, 0 is returned.
++ */
++ int (*delip) (struct ip_set *set,
++ const void *data, size_t size,
++ ip_set_ip_t *ip);
++
++ /* remove IP from set (kernel: iptables ... -j SET --entry x)
++ * Return -EEXIST if the address is NOT in the set,
++ * and -ERANGE if the address lies outside the set bounds.
++ * If the address really was in the set, 0 is returned.
++ */
++ int (*delip_kernel) (struct ip_set *set,
++ const struct sk_buff * skb,
++ u_int32_t flags,
++ ip_set_ip_t *ip);
++
++ /* new set creation - allocated type specific items
++ */
++ int (*create) (struct ip_set *set,
++ const void *data, size_t size);
++
++ /* retry the operation after successfully tweaking the set
++ */
++ int (*retry) (struct ip_set *set);
++
++ /* set destruction - free type specific items
++ * There is no return value.
++ * Can be called only when child sets are destroyed.
++ */
++ void (*destroy) (struct ip_set *set);
++
++ /* set flushing - reset all bits in the set, or something similar.
++ * There is no return value.
++ */
++ void (*flush) (struct ip_set *set);
++
++ /* Listing: size needed for header
++ */
++ size_t header_size;
++
++ /* Listing: Get the header
++ *
++ * Fill in the information in "data".
++ * This function is always run after list_header_size() under a
++ * writelock on the set. Therefor is the length of "data" always
++ * correct.
++ */
++ void (*list_header) (const struct ip_set *set,
++ void *data);
++
++ /* Listing: Get the size for the set members
++ */
++ int (*list_members_size) (const struct ip_set *set);
++
++ /* Listing: Get the set members
++ *
++ * Fill in the information in "data".
++ * This function is always run after list_member_size() under a
++ * writelock on the set. Therefor is the length of "data" always
++ * correct.
++ */
++ void (*list_members) (const struct ip_set *set,
++ void *data);
++
++ char typename[IP_SET_MAXNAMELEN];
++ char typecode;
++ int protocol_version;
++
++ /* Set this to THIS_MODULE if you are a module, otherwise NULL */
++ struct module *me;
++};
++
++extern int ip_set_register_set_type(struct ip_set_type *set_type);
++extern void ip_set_unregister_set_type(struct ip_set_type *set_type);
++
++/* A generic ipset */
++struct ip_set {
++ char name[IP_SET_MAXNAMELEN]; /* the name of the set */
++ rwlock_t lock; /* lock for concurrency control */
++ ip_set_id_t id; /* set id for swapping */
++ ip_set_id_t binding; /* default binding for the set */
++ atomic_t ref; /* in kernel and in hash references */
++ struct ip_set_type *type; /* the set types */
++ void *data; /* pooltype specific data */
++};
++
++/* Structure to bind set elements to sets */
++struct ip_set_hash {
++ struct list_head list; /* list of clashing entries in hash */
++ ip_set_ip_t ip; /* ip from set */
++ ip_set_id_t id; /* set id */
++ ip_set_id_t binding; /* set we bind the element to */
++};
++
++/* register and unregister set references */
++extern ip_set_id_t ip_set_get_byname(const char name[IP_SET_MAXNAMELEN]);
++extern ip_set_id_t ip_set_get_byindex(ip_set_id_t id);
++extern void ip_set_put(ip_set_id_t id);
++
++/* API for iptables set match, and SET target */
++extern void ip_set_addip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++extern void ip_set_delip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++extern int ip_set_testip_kernel(ip_set_id_t id,
++ const struct sk_buff *skb,
++ const u_int32_t *flags);
++
++#endif /* __KERNEL__ */
++
+#endif /*_IP_SET_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iphash.h include/linux/netfilter_ipv4/ip_set_iphash.h
--- include.orig/linux/netfilter_ipv4/ip_set_iphash.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_iphash.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_iphash.h 2005-08-02 20:02:17.803233104 +0200
@@ -0,0 +1,30 @@
+#ifndef __IP_SET_IPHASH_H
+#define __IP_SET_IPHASH_H
+#endif /* __IP_SET_IPHASH_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_ipmap.h include/linux/netfilter_ipv4/ip_set_ipmap.h
--- include.orig/linux/netfilter_ipv4/ip_set_ipmap.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_ipmap.h 2005-08-02 20:02:17.763239184 +0200
@@ -0,0 +1,56 @@
+#ifndef __IP_SET_IPMAP_H
+#define __IP_SET_IPMAP_H
+#endif /* __IP_SET_IPMAP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_iptree.h include/linux/netfilter_ipv4/ip_set_iptree.h
--- include.orig/linux/netfilter_ipv4/ip_set_iptree.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_iptree.h 2005-05-06 22:14:47.000000000 +0200
-@@ -0,0 +1,35 @@
++++ include/linux/netfilter_ipv4/ip_set_iptree.h 2005-08-02 20:02:17.810232040 +0200
+@@ -0,0 +1,39 @@
+#ifndef __IP_SET_IPTREE_H
+#define __IP_SET_IPTREE_H
+
+struct ip_set_iptree {
+ unsigned int timeout;
+ unsigned int gc_interval;
++#ifdef __KERNEL__
++ struct timer_list gc;
++ struct ip_set_iptreeb *tree[255]; /* ADDR.*.*.* */
++#endif
+};
+
+struct ip_set_req_iptree_create {
+#endif /* __IP_SET_IPTREE_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_jhash.h include/linux/netfilter_ipv4/ip_set_jhash.h
--- include.orig/linux/netfilter_ipv4/ip_set_jhash.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_jhash.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_jhash.h 2005-08-02 20:02:17.758239944 +0200
@@ -0,0 +1,148 @@
+#ifndef _LINUX_IPSET_JHASH_H
+#define _LINUX_IPSET_JHASH_H
+#endif /* _LINUX_IPSET_JHASH_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_macipmap.h include/linux/netfilter_ipv4/ip_set_macipmap.h
--- include.orig/linux/netfilter_ipv4/ip_set_macipmap.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_macipmap.h 2005-08-02 20:02:17.776237208 +0200
@@ -0,0 +1,38 @@
+#ifndef __IP_SET_MACIPMAP_H
+#define __IP_SET_MACIPMAP_H
+#endif /* __IP_SET_MACIPMAP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_malloc.h include/linux/netfilter_ipv4/ip_set_malloc.h
--- include.orig/linux/netfilter_ipv4/ip_set_malloc.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_malloc.h 2005-05-06 22:14:58.000000000 +0200
-@@ -0,0 +1,4 @@
++++ include/linux/netfilter_ipv4/ip_set_malloc.h 2005-08-02 20:02:17.788235384 +0200
+@@ -0,0 +1,34 @@
+#ifndef _IP_SET_MALLOC_H
+#define _IP_SET_MALLOC_H
+
++#ifdef __KERNEL__
++
++/* Memory allocation and deallocation */
++static size_t max_malloc_size = 0;
++
++static inline void init_max_malloc_size(void)
++{
++#define CACHE(x) max_malloc_size = x;
++#include <linux/kmalloc_sizes.h>
++#undef CACHE
++}
++
++static inline void * ip_set_malloc(size_t bytes)
++{
++ if (bytes > max_malloc_size)
++ return vmalloc(bytes);
++ else
++ return kmalloc(bytes, GFP_KERNEL);
++}
++
++static inline void ip_set_free(void * data, size_t bytes)
++{
++ if (bytes > max_malloc_size)
++ vfree(data);
++ else
++ kfree(data);
++}
++
++#endif /* __KERNEL__ */
++
+#endif /*_IP_SET_MALLOC_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_nethash.h include/linux/netfilter_ipv4/ip_set_nethash.h
--- include.orig/linux/netfilter_ipv4/ip_set_nethash.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_nethash.h 2005-05-06 22:15:09.000000000 +0200
-@@ -0,0 +1,47 @@
++++ include/linux/netfilter_ipv4/ip_set_nethash.h 2005-08-02 20:02:17.755240400 +0200
+@@ -0,0 +1,55 @@
+#ifndef __IP_SET_NETHASH_H
+#define __IP_SET_NETHASH_H
+
+ unsigned char n, t, *a;
+
+ addr = htonl(ip & (0xFFFFFFFF << (32 - (cidr))));
++#ifdef __KERNEL__
++ DP("ip:%u.%u.%u.%u/%u", NIPQUAD(addr), cidr);
++#endif
+ n = cidr / 8;
+ t = cidr % 8;
+ a = &((unsigned char *)paddr)[n];
+ *a = *a /(1 << (8 - t)) + shifts[t];
++#ifdef __KERNEL__
++ DP("n: %u, t: %u, a: %u", n, t, *a);
++ DP("ip:%u.%u.%u.%u/%u, %u.%u.%u.%u",
++ HIPQUAD(ip), cidr, NIPQUAD(addr));
++#endif
+
+ return ntohl(addr);
+}
+#endif /* __IP_SET_NETHASH_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_portmap.h include/linux/netfilter_ipv4/ip_set_portmap.h
--- include.orig/linux/netfilter_ipv4/ip_set_portmap.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_portmap.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_portmap.h 2005-08-02 20:02:17.772237816 +0200
@@ -0,0 +1,25 @@
+#ifndef __IP_SET_PORTMAP_H
+#define __IP_SET_PORTMAP_H
+#endif /* __IP_SET_PORTMAP_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_set_prime.h include/linux/netfilter_ipv4/ip_set_prime.h
--- include.orig/linux/netfilter_ipv4/ip_set_prime.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_set_prime.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_set_prime.h 2005-08-02 20:02:17.825229760 +0200
@@ -0,0 +1,34 @@
+#ifndef __IP_SET_PRIME_H
+#define __IP_SET_PRIME_H
+
+#endif /* __IP_SET_PRIME_H */
diff -uNr include.orig/linux/netfilter_ipv4/ip_tables.h include/linux/netfilter_ipv4/ip_tables.h
---- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-03-13 21:53:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ip_tables.h 2005-05-06 22:43:31.000000000 +0200
+--- include.orig/linux/netfilter_ipv4/ip_tables.h 2005-07-06 02:17:20.000000000 +0200
++++ include/linux/netfilter_ipv4/ip_tables.h 2005-08-02 20:02:17.815231280 +0200
@@ -101,7 +101,8 @@
/* Values for "flag" field in struct ipt_ip (general ip structure). */
#define IPT_SO_SET_ADD_COUNTERS (IPT_BASE_CTL + 1)
#define IPT_SO_SET_MAX IPT_SO_SET_ADD_COUNTERS
-+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3)
-+#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4)
-+#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
++#define IPT_SO_SET_ACCOUNT_HANDLE_FREE (IPT_BASE_CTL + 3)
++#define IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL (IPT_BASE_CTL + 4)
++#define IPT_SO_SET_ACCOUNT_MAX IPT_SO_SET_ACCOUNT_HANDLE_FREE_ALL
+
#define IPT_SO_GET_INFO (IPT_BASE_CTL)
#define IPT_SO_GET_ENTRIES (IPT_BASE_CTL + 1)
#define IPT_SO_GET_REVISION_TARGET (IPT_BASE_CTL + 3)
#define IPT_SO_GET_MAX IPT_SO_GET_REVISION_TARGET
-+#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3)
-+#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4)
-+#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5)
-+#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6)
-+#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7)
-+#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
++#define IPT_SO_GET_ACCOUNT_PREPARE_READ (IPT_BASE_CTL + 3)
++#define IPT_SO_GET_ACCOUNT_PREPARE_READ_FLUSH (IPT_BASE_CTL + 4)
++#define IPT_SO_GET_ACCOUNT_GET_DATA (IPT_BASE_CTL + 5)
++#define IPT_SO_GET_ACCOUNT_GET_HANDLE_USAGE (IPT_BASE_CTL + 6)
++#define IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES (IPT_BASE_CTL + 7)
++#define IPT_SO_GET_ACCOUNT_MAX IPT_SO_GET_ACCOUNT_GET_TABLE_NAMES
+
/* CONTINUE verdict for targets */
#define IPT_CONTINUE 0xFFFFFFFF
diff -uNr include.orig/linux/netfilter_ipv4/ipt_account.h include/linux/netfilter_ipv4/ipt_account.h
--- include.orig/linux/netfilter_ipv4/ipt_account.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_account.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_account.h 2005-08-02 20:02:17.786235688 +0200
@@ -0,0 +1,26 @@
+/*
+ * accounting match (ipt_account.c)
+
diff -uNr include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h include/linux/netfilter_ipv4/ipt_ACCOUNT.h
--- include.orig/linux/netfilter_ipv4/ipt_ACCOUNT.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_ACCOUNT.h 2005-08-02 20:02:17.817230976 +0200
@@ -0,0 +1,100 @@
+/***************************************************************************
+ * Copyright (C) 2004 by Intra2net AG *
+#endif /*_IPT_ACCOUNT_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_addrtype.h include/linux/netfilter_ipv4/ipt_addrtype.h
--- include.orig/linux/netfilter_ipv4/ipt_addrtype.h 2004-10-31 20:56:02.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_addrtype.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_addrtype.h 2005-08-02 20:02:17.751241008 +0200
@@ -4,8 +4,8 @@
struct ipt_addrtype_info {
u_int16_t source; /* source-type mask */
#endif
diff -uNr include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h include/linux/netfilter_ipv4/ipt_CLUSTERIP.h
--- include.orig/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-01-08 15:03:55.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_CLUSTERIP.h 2005-08-02 20:02:17.832228696 +0200
@@ -9,7 +9,7 @@
#define CLUSTERIP_HASHMODE_MAX CLUSTERIP_HASHMODE_SIP_SPT_DPT
diff -uNr include.orig/linux/netfilter_ipv4/ipt_connlimit.h include/linux/netfilter_ipv4/ipt_connlimit.h
--- include.orig/linux/netfilter_ipv4/ipt_connlimit.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_connlimit.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_connlimit.h 2005-08-02 20:02:17.723245264 +0200
@@ -0,0 +1,12 @@
+#ifndef _IPT_CONNLIMIT_H
+#define _IPT_CONNLIMIT_H
+ struct ipt_connlimit_data *data;
+};
+#endif /* _IPT_CONNLIMIT_H */
-diff -uNr include.orig/linux/netfilter_ipv4/ipt_conntrack.h include/linux/netfilter_ipv4/ipt_conntrack.h
---- include.orig/linux/netfilter_ipv4/ipt_conntrack.h 2005-03-26 19:58:02.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_conntrack.h 2005-04-30 03:30:23.000000000 +0200
-@@ -5,8 +5,6 @@
- #ifndef _IPT_CONNTRACK_H
- #define _IPT_CONNTRACK_H
-
--#include <asm/types.h>
--
- #define IPT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
- #define IPT_CONNTRACK_STATE_INVALID (1 << 0)
-
-@@ -41,7 +39,7 @@
- } u;
-
- /* The protocol. */
-- __u16 protonum;
-+ u16 protonum;
- } dst;
- };
-
diff -uNr include.orig/linux/netfilter_ipv4/ipt_fuzzy.h include/linux/netfilter_ipv4/ipt_fuzzy.h
--- include.orig/linux/netfilter_ipv4/ipt_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_fuzzy.h 2005-08-02 20:02:17.781236448 +0200
@@ -0,0 +1,21 @@
+#ifndef _IPT_FUZZY_H
+#define _IPT_FUZZY_H
+#endif /*_IPT_FUZZY_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_geoip.h include/linux/netfilter_ipv4/ipt_geoip.h
--- include.orig/linux/netfilter_ipv4/ipt_geoip.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_geoip.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_geoip.h 2005-08-02 20:02:17.769238272 +0200
@@ -0,0 +1,50 @@
+/* ipt_geoip.h header file for libipt_geoip.c and ipt_geoip.c
+ *
+
+#endif
+
-diff -uNr include.orig/linux/netfilter_ipv4/ipt_IMQ.h include/linux/netfilter_ipv4/ipt_IMQ.h
---- include.orig/linux/netfilter_ipv4/ipt_IMQ.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_IMQ.h 2005-05-06 09:24:35.000000000 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _IPT_IMQ_H
-+#define _IPT_IMQ_H
-+
-+struct ipt_imq_info {
-+ unsigned int todev; /* target imq device */
-+};
-+
-+#endif /* _IPT_IMQ_H */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_IPMARK.h include/linux/netfilter_ipv4/ipt_IPMARK.h
--- include.orig/linux/netfilter_ipv4/ipt_IPMARK.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_IPMARK.h 2005-08-02 20:02:17.756240248 +0200
@@ -0,0 +1,13 @@
+#ifndef _IPT_IPMARK_H_target
+#define _IPT_IPMARK_H_target
+#endif /*_IPT_IPMARK_H_target*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipp2p.h include/linux/netfilter_ipv4/ipt_ipp2p.h
--- include.orig/linux/netfilter_ipv4/ipt_ipp2p.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_ipp2p.h 2005-08-02 20:02:17.784235992 +0200
@@ -0,0 +1,29 @@
+#ifndef __IPT_IPP2P_H
+#define __IPT_IPP2P_H
-+#define IPP2P_VERSION "0.7.2"
++#define IPP2P_VERSION "0.7.4"
+
+struct ipt_p2p_info {
+ int cmd;
+
diff -uNr include.orig/linux/netfilter_ipv4/ipt_ipv4options.h include/linux/netfilter_ipv4/ipt_ipv4options.h
--- include.orig/linux/netfilter_ipv4/ipt_ipv4options.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_ipv4options.h 2005-08-02 20:02:17.733243744 +0200
@@ -0,0 +1,21 @@
+#ifndef __ipt_ipv4options_h_included__
+#define __ipt_ipv4options_h_included__
+#endif /* __ipt_ipv4options_h_included__ */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_layer7.h include/linux/netfilter_ipv4/ipt_layer7.h
--- include.orig/linux/netfilter_ipv4/ipt_layer7.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_layer7.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_layer7.h 2005-08-02 20:02:17.736243288 +0200
@@ -0,0 +1,26 @@
+/*
+ By Matthew Strait <quadong@users.sf.net>, Dec 2003.
+#endif /* _IPT_LAYER7_H */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_nth.h include/linux/netfilter_ipv4/ipt_nth.h
--- include.orig/linux/netfilter_ipv4/ipt_nth.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_nth.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_nth.h 2005-08-02 20:02:17.760239640 +0200
@@ -0,0 +1,19 @@
+#ifndef _IPT_NTH_H
+#define _IPT_NTH_H
+#endif /*_IPT_NTH_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_osf.h include/linux/netfilter_ipv4/ipt_osf.h
--- include.orig/linux/netfilter_ipv4/ipt_osf.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_osf.h 2005-05-06 22:16:43.000000000 +0200
-@@ -0,0 +1,94 @@
++++ include/linux/netfilter_ipv4/ipt_osf.h 2005-08-02 20:02:17.783236144 +0200
+@@ -0,0 +1,151 @@
+/*
+ * ipt_osf.h
+ *
+#define IPT_OSF_SMART 2
+#define IPT_OSF_LOG 4
+#define IPT_OSF_NETLINK 8
++#define IPT_OSF_CONNECTOR 16
+
+#define IPT_OSF_LOGLEVEL_ALL 0
+#define IPT_OSF_LOGLEVEL_FIRST 1
+
++#ifndef __KERNEL__
+#include <netinet/ip.h>
+#include <netinet/tcp.h>
+
+{
+ struct list_head *prev, *next;
+};
++#endif
+
+struct ipt_osf_info
+{
+ struct tcphdr tcp;
+};
+
++#ifdef __KERNEL__
++
++#include <linux/list.h>
++#include <net/tcp.h>
++
++
++/* Defines for IANA option kinds */
++
++#define OSFOPT_EOL 0 /* End of options */
++#define OSFOPT_NOP 1 /* NOP */
++#define OSFOPT_MSS 2 /* Maximum segment size */
++#define OSFOPT_WSO 3 /* Window scale option */
++#define OSFOPT_SACKP 4 /* SACK permitted */
++#define OSFOPT_SACK 5 /* SACK */
++#define OSFOPT_ECHO 6
++#define OSFOPT_ECHOREPLY 7
++#define OSFOPT_TS 8 /* Timestamp option */
++#define OSFOPT_POCP 9 /* Partial Order Connection Permitted */
++#define OSFOPT_POSP 10 /* Partial Order Service Profile */
++/* Others are not used in current OSF */
++
++static struct osf_opt IANA_opts[] =
++{
++ {0, 1,},
++ {1, 1,},
++ {2, 4,},
++ {3, 3,},
++ {4, 2,},
++ {5, 1 ,}, /* SACK length is not defined */
++ {6, 6,},
++ {7, 6,},
++ {8, 10,},
++ {9, 2,},
++ {10, 3,},
++ {11, 1,}, /* CC: Suppose 1 */
++ {12, 1,}, /* the same */
++ {13, 1,}, /* and here too */
++ {14, 3,},
++ {15, 1,}, /* TCP Alternate Checksum Data. Length is not defined */
++ {16, 1,},
++ {17, 1,},
++ {18, 3,},
++ {19, 18,},
++ {20, 1,},
++ {21, 1,},
++ {22, 1,},
++ {23, 1,},
++ {24, 1,},
++ {25, 1,},
++ {26, 1,},
++};
++
++#endif /* __KERNEL__ */
++
+#endif /* _IPT_OSF_H */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_policy.h include/linux/netfilter_ipv4/ipt_policy.h
--- include.orig/linux/netfilter_ipv4/ipt_policy.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_policy.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_policy.h 2005-08-02 20:02:17.735243440 +0200
@@ -0,0 +1,52 @@
+#ifndef _IPT_POLICY_H
+#define _IPT_POLICY_H
+#endif /* _IPT_POLICY_H */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_psd.h include/linux/netfilter_ipv4/ipt_psd.h
--- include.orig/linux/netfilter_ipv4/ipt_psd.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_psd.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_psd.h 2005-08-02 20:02:17.778236904 +0200
@@ -0,0 +1,40 @@
+#ifndef _IPT_PSD_H
+#define _IPT_PSD_H
+#endif /*_IPT_PSD_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_quota.h include/linux/netfilter_ipv4/ipt_quota.h
--- include.orig/linux/netfilter_ipv4/ipt_quota.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_quota.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_quota.h 2005-08-02 20:02:17.762239336 +0200
@@ -0,0 +1,12 @@
+#ifndef _IPT_QUOTA_H
+#define _IPT_QUOTA_H
+};
+
+#endif /*_IPT_QUOTA_H*/
+diff -uNr include.orig/linux/netfilter_ipv4/ipt_recent.h include/linux/netfilter_ipv4/ipt_recent.h
+--- include.orig/linux/netfilter_ipv4/ipt_recent.h 2004-10-31 20:56:00.000000000 +0100
++++ include/linux/netfilter_ipv4/ipt_recent.h 2005-08-02 20:02:17.720245720 +0200
+@@ -2,7 +2,7 @@
+ #define _IPT_RECENT_H
+
+ #define RECENT_NAME "ipt_recent"
+-#define RECENT_VER "v0.3.1"
++#define RECENT_VER "v0.3.2"
+
+ #define IPT_RECENT_CHECK 1
+ #define IPT_RECENT_SET 2
diff -uNr include.orig/linux/netfilter_ipv4/ipt_ROUTE.h include/linux/netfilter_ipv4/ipt_ROUTE.h
--- include.orig/linux/netfilter_ipv4/ipt_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_ROUTE.h 2005-08-02 20:02:17.726244808 +0200
@@ -0,0 +1,23 @@
+/* Header file for iptables ipt_ROUTE target
+ *
+#endif /*_IPT_ROUTE_H_target*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_set.h include/linux/netfilter_ipv4/ipt_set.h
--- include.orig/linux/netfilter_ipv4/ipt_set.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_set.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_set.h 2005-08-02 20:02:17.721245568 +0200
@@ -0,0 +1,21 @@
+#ifndef _IPT_SET_H
+#define _IPT_SET_H
+#endif /*_IPT_SET_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_string.h include/linux/netfilter_ipv4/ipt_string.h
--- include.orig/linux/netfilter_ipv4/ipt_string.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_string.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_string.h 2005-08-02 20:02:17.805232800 +0200
@@ -0,0 +1,21 @@
+#ifndef _IPT_STRING_H
+#define _IPT_STRING_H
+#endif /* _IPT_STRING_H */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_time.h include/linux/netfilter_ipv4/ipt_time.h
--- include.orig/linux/netfilter_ipv4/ipt_time.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_time.h 2005-05-06 09:24:35.000000000 +0200
-@@ -0,0 +1,15 @@
++++ include/linux/netfilter_ipv4/ipt_time.h 2005-08-02 20:02:17.765238880 +0200
+@@ -0,0 +1,18 @@
+#ifndef __ipt_time_h_included__
+#define __ipt_time_h_included__
+
+ u_int8_t days_match; /* 1 bit per day. -SMTWTFS */
+ u_int16_t time_start; /* 0 < time_start < 23*60+59 = 1439 */
+ u_int16_t time_stop; /* 0:0 < time_stat < 23:59 */
++
++ /* FIXME: Keep this one for userspace iptables binary compability: */
+ u_int8_t kerneltime; /* ignore skb time (and use kerneltime) or not. */
++
+ time_t date_start;
+ time_t date_stop;
+};
+#endif /* __ipt_time_h_included__ */
diff -uNr include.orig/linux/netfilter_ipv4/ipt_TTL.h include/linux/netfilter_ipv4/ipt_TTL.h
--- include.orig/linux/netfilter_ipv4/ipt_TTL.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_TTL.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_TTL.h 2005-08-02 20:02:17.801233408 +0200
@@ -0,0 +1,21 @@
+/* TTL modification module for IP tables
+ * (C) 2000 by Harald Welte <laforge@gnumonks.org> */
+#endif
diff -uNr include.orig/linux/netfilter_ipv4/ipt_u32.h include/linux/netfilter_ipv4/ipt_u32.h
--- include.orig/linux/netfilter_ipv4/ipt_u32.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_u32.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_u32.h 2005-08-02 20:02:17.809232192 +0200
@@ -0,0 +1,40 @@
+#ifndef _IPT_U32_H
+#define _IPT_U32_H
+#endif /*_IPT_U32_H*/
diff -uNr include.orig/linux/netfilter_ipv4/ipt_XOR.h include/linux/netfilter_ipv4/ipt_XOR.h
--- include.orig/linux/netfilter_ipv4/ipt_XOR.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/ipt_XOR.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv4/ipt_XOR.h 2005-08-02 20:02:17.830229000 +0200
@@ -0,0 +1,9 @@
+#ifndef _IPT_XOR_H
+#define _IPT_XOR_H
+};
+
+#endif /* _IPT_XOR_H */
-diff -uNr include.orig/linux/netfilter_ipv4/listhelp.h include/linux/netfilter_ipv4/listhelp.h
---- include.orig/linux/netfilter_ipv4/listhelp.h 2004-10-31 20:56:02.000000000 +0100
-+++ include/linux/netfilter_ipv4/listhelp.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,123 +0,0 @@
--#ifndef _LISTHELP_H
--#define _LISTHELP_H
--#include <linux/netfilter_ipv4/lockhelp.h>
--
--/* Header to do more comprehensive job than linux/list.h; assume list
-- is first entry in structure. */
--
--/* Return pointer to first true entry, if any, or NULL. A macro
-- required to allow inlining of cmpfn. */
--#define LIST_FIND(head, cmpfn, type, args...) \
--({ \
-- const struct list_head *__i, *__j = NULL; \
-- \
-- ASSERT_READ_LOCK(head); \
-- list_for_each(__i, (head)) \
-- if (cmpfn((const type)__i , ## args)) { \
-- __j = __i; \
-- break; \
-- } \
-- (type)__j; \
--})
--
--#define LIST_FIND_W(head, cmpfn, type, args...) \
--({ \
-- const struct list_head *__i, *__j = NULL; \
-- \
-- ASSERT_WRITE_LOCK(head); \
-- list_for_each(__i, (head)) \
-- if (cmpfn((type)__i , ## args)) { \
-- __j = __i; \
-- break; \
-- } \
-- (type)__j; \
--})
--
--/* Just like LIST_FIND but we search backwards */
--#define LIST_FIND_B(head, cmpfn, type, args...) \
--({ \
-- const struct list_head *__i, *__j = NULL; \
-- \
-- ASSERT_READ_LOCK(head); \
-- list_for_each_prev(__i, (head)) \
-- if (cmpfn((const type)__i , ## args)) { \
-- __j = __i; \
-- break; \
-- } \
-- (type)__j; \
--})
--
--static inline int
--__list_cmp_same(const void *p1, const void *p2) { return p1 == p2; }
--
--/* Is this entry in the list? */
--static inline int
--list_inlist(struct list_head *head, const void *entry)
--{
-- return LIST_FIND(head, __list_cmp_same, void *, entry) != NULL;
--}
--
--/* Delete from list. */
--#ifdef CONFIG_NETFILTER_DEBUG
--#define LIST_DELETE(head, oldentry) \
--do { \
-- ASSERT_WRITE_LOCK(head); \
-- if (!list_inlist(head, oldentry)) \
-- printk("LIST_DELETE: %s:%u `%s'(%p) not in %s.\n", \
-- __FILE__, __LINE__, #oldentry, oldentry, #head); \
-- else list_del((struct list_head *)oldentry); \
--} while(0)
--#else
--#define LIST_DELETE(head, oldentry) list_del((struct list_head *)oldentry)
--#endif
--
--/* Append. */
--static inline void
--list_append(struct list_head *head, void *new)
--{
-- ASSERT_WRITE_LOCK(head);
-- list_add((new), (head)->prev);
--}
--
--/* Prepend. */
--static inline void
--list_prepend(struct list_head *head, void *new)
--{
-- ASSERT_WRITE_LOCK(head);
-- list_add(new, head);
--}
--
--/* Insert according to ordering function; insert before first true. */
--#define LIST_INSERT(head, new, cmpfn) \
--do { \
-- struct list_head *__i; \
-- ASSERT_WRITE_LOCK(head); \
-- list_for_each(__i, (head)) \
-- if ((new), (typeof (new))__i) \
-- break; \
-- list_add((struct list_head *)(new), __i->prev); \
--} while(0)
--
--/* If the field after the list_head is a nul-terminated string, you
-- can use these functions. */
--static inline int __list_cmp_name(const void *i, const char *name)
--{
-- return strcmp(name, i+sizeof(struct list_head)) == 0;
--}
--
--/* Returns false if same name already in list, otherwise does insert. */
--static inline int
--list_named_insert(struct list_head *head, void *new)
--{
-- if (LIST_FIND(head, __list_cmp_name, void *,
-- new + sizeof(struct list_head)))
-- return 0;
-- list_prepend(head, new);
-- return 1;
--}
--
--/* Find this named element in the list. */
--#define list_named_find(head, name) \
--LIST_FIND(head, __list_cmp_name, void *, name)
--
--#endif /*_LISTHELP_H*/
-diff -uNr include.orig/linux/netfilter_ipv4/lockhelp.h include/linux/netfilter_ipv4/lockhelp.h
---- include.orig/linux/netfilter_ipv4/lockhelp.h 2004-10-31 20:56:00.000000000 +0100
-+++ include/linux/netfilter_ipv4/lockhelp.h 1970-01-01 01:00:00.000000000 +0100
-@@ -1,127 +0,0 @@
--#ifndef _LOCKHELP_H
--#define _LOCKHELP_H
--
--#include <asm/atomic.h>
--#include <linux/interrupt.h>
--#include <linux/smp.h>
--
--/* Header to do help in lock debugging. */
--
--#ifdef CONFIG_NETFILTER_DEBUG
--struct spinlock_debug
--{
-- spinlock_t l;
-- atomic_t locked_by;
--};
--
--struct rwlock_debug
--{
-- rwlock_t l;
-- long read_locked_map;
-- long write_locked_map;
--};
--
--#define DECLARE_LOCK(l) \
--struct spinlock_debug l = { SPIN_LOCK_UNLOCKED, ATOMIC_INIT(-1) }
--#define DECLARE_LOCK_EXTERN(l) \
--extern struct spinlock_debug l
--#define DECLARE_RWLOCK(l) \
--struct rwlock_debug l = { RW_LOCK_UNLOCKED, 0, 0 }
--#define DECLARE_RWLOCK_EXTERN(l) \
--extern struct rwlock_debug l
--
--#define MUST_BE_LOCKED(l) \
--do { if (atomic_read(&(l)->locked_by) != smp_processor_id()) \
-- printk("ASSERT %s:%u %s unlocked\n", __FILE__, __LINE__, #l); \
--} while(0)
--
--#define MUST_BE_UNLOCKED(l) \
--do { if (atomic_read(&(l)->locked_by) == smp_processor_id()) \
-- printk("ASSERT %s:%u %s locked\n", __FILE__, __LINE__, #l); \
--} while(0)
--
--/* Write locked OK as well. */
--#define MUST_BE_READ_LOCKED(l) \
--do { if (!((l)->read_locked_map & (1UL << smp_processor_id())) \
-- && !((l)->write_locked_map & (1UL << smp_processor_id()))) \
-- printk("ASSERT %s:%u %s not readlocked\n", __FILE__, __LINE__, #l); \
--} while(0)
--
--#define MUST_BE_WRITE_LOCKED(l) \
--do { if (!((l)->write_locked_map & (1UL << smp_processor_id()))) \
-- printk("ASSERT %s:%u %s not writelocked\n", __FILE__, __LINE__, #l); \
--} while(0)
--
--#define MUST_BE_READ_WRITE_UNLOCKED(l) \
--do { if ((l)->read_locked_map & (1UL << smp_processor_id())) \
-- printk("ASSERT %s:%u %s readlocked\n", __FILE__, __LINE__, #l); \
-- else if ((l)->write_locked_map & (1UL << smp_processor_id())) \
-- printk("ASSERT %s:%u %s writelocked\n", __FILE__, __LINE__, #l); \
--} while(0)
--
--#define LOCK_BH(lk) \
--do { \
-- MUST_BE_UNLOCKED(lk); \
-- spin_lock_bh(&(lk)->l); \
-- atomic_set(&(lk)->locked_by, smp_processor_id()); \
--} while(0)
--
--#define UNLOCK_BH(lk) \
--do { \
-- MUST_BE_LOCKED(lk); \
-- atomic_set(&(lk)->locked_by, -1); \
-- spin_unlock_bh(&(lk)->l); \
--} while(0)
--
--#define READ_LOCK(lk) \
--do { \
-- MUST_BE_READ_WRITE_UNLOCKED(lk); \
-- read_lock_bh(&(lk)->l); \
-- set_bit(smp_processor_id(), &(lk)->read_locked_map); \
--} while(0)
--
--#define WRITE_LOCK(lk) \
--do { \
-- MUST_BE_READ_WRITE_UNLOCKED(lk); \
-- write_lock_bh(&(lk)->l); \
-- set_bit(smp_processor_id(), &(lk)->write_locked_map); \
--} while(0)
--
--#define READ_UNLOCK(lk) \
--do { \
-- if (!((lk)->read_locked_map & (1UL << smp_processor_id()))) \
-- printk("ASSERT: %s:%u %s not readlocked\n", \
-- __FILE__, __LINE__, #lk); \
-- clear_bit(smp_processor_id(), &(lk)->read_locked_map); \
-- read_unlock_bh(&(lk)->l); \
--} while(0)
--
--#define WRITE_UNLOCK(lk) \
--do { \
-- MUST_BE_WRITE_LOCKED(lk); \
-- clear_bit(smp_processor_id(), &(lk)->write_locked_map); \
-- write_unlock_bh(&(lk)->l); \
--} while(0)
--
--#else
--#define DECLARE_LOCK(l) spinlock_t l = SPIN_LOCK_UNLOCKED
--#define DECLARE_LOCK_EXTERN(l) extern spinlock_t l
--#define DECLARE_RWLOCK(l) rwlock_t l = RW_LOCK_UNLOCKED
--#define DECLARE_RWLOCK_EXTERN(l) extern rwlock_t l
--
--#define MUST_BE_LOCKED(l)
--#define MUST_BE_UNLOCKED(l)
--#define MUST_BE_READ_LOCKED(l)
--#define MUST_BE_WRITE_LOCKED(l)
--#define MUST_BE_READ_WRITE_UNLOCKED(l)
--
--#define LOCK_BH(l) spin_lock_bh(l)
--#define UNLOCK_BH(l) spin_unlock_bh(l)
--
--#define READ_LOCK(l) read_lock_bh(l)
--#define WRITE_LOCK(l) write_lock_bh(l)
--#define READ_UNLOCK(l) read_unlock_bh(l)
--#define WRITE_UNLOCK(l) write_unlock_bh(l)
--#endif /*CONFIG_NETFILTER_DEBUG*/
--
--#endif /* _LOCKHELP_H */
-diff -uNr include.orig/linux/netfilter_ipv6/ip6_logging.h include/linux/netfilter_ipv6/ip6_logging.h
---- include.orig/linux/netfilter_ipv6/ip6_logging.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6_logging.h 2005-05-06 23:14:29.000000000 +0200
-@@ -0,0 +1,5 @@
-+/* IPv6 macros for the nternal logging interface. */
-+#ifndef __IP6_LOGGING_H
-+#define __IP6_LOGGING_H
-+
-+#endif /*__IP6_LOGGING_H*/
-diff -uNr include.orig/linux/netfilter_ipv6/ip6_tables.h include/linux/netfilter_ipv6/ip6_tables.h
---- include.orig/linux/netfilter_ipv6/ip6_tables.h 2004-10-31 20:56:06.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6_tables.h 2005-05-06 23:15:05.000000000 +0200
-@@ -99,7 +99,6 @@
- u_int64_t pcnt, bcnt; /* Packet and byte counters */
- };
+diff -uNr include.orig/linux/netfilter_ipv4.h include/linux/netfilter_ipv4.h
+--- include.orig/linux/netfilter_ipv4.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/netfilter_ipv4.h 2005-08-02 20:02:17.660254840 +0200
+@@ -7,34 +7,6 @@
+
+ #include <linux/netfilter.h>
+-/* IP Cache bits. */
+-/* Src IP address. */
+-#define NFC_IP_SRC 0x0001
+-/* Dest IP address. */
+-#define NFC_IP_DST 0x0002
+-/* Input device. */
+-#define NFC_IP_IF_IN 0x0004
+-/* Output device. */
+-#define NFC_IP_IF_OUT 0x0008
+-/* TOS. */
+-#define NFC_IP_TOS 0x0010
+-/* Protocol. */
+-#define NFC_IP_PROTO 0x0020
+-/* IP options. */
+-#define NFC_IP_OPTIONS 0x0040
+-/* Frag & flags. */
+-#define NFC_IP_FRAG 0x0080
+-
+-/* Per-protocol information: only matters if proto match. */
+-/* TCP flags. */
+-#define NFC_IP_TCPFLAGS 0x0100
+-/* Source port. */
+-#define NFC_IP_SRC_PT 0x0200
+-/* Dest port. */
+-#define NFC_IP_DST_PT 0x0400
+-/* Something else about the proto */
+-#define NFC_IP_PROTO_UNKNOWN 0x2000
-
- /* Values for "flag" field in struct ip6t_ip6 (general ip6 structure). */
- #define IP6T_F_PROTO 0x01 /* Set if rule cares about upper
- protocols */
+ /* IP Hooks */
+ /* After promisc drops, checksum checks. */
+ #define NF_IP_PRE_ROUTING 0
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h include/linux/netfilter_ipv6/ip6t_fuzzy.h
--- include.orig/linux/netfilter_ipv6/ip6t_fuzzy.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_fuzzy.h 2005-08-02 20:02:17.652256056 +0200
@@ -0,0 +1,21 @@
+#ifndef _IP6T_FUZZY_H
+#define _IP6T_FUZZY_H
+#endif /*_IP6T_FUZZY_H*/
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_HL.h include/linux/netfilter_ipv6/ip6t_HL.h
--- include.orig/linux/netfilter_ipv6/ip6t_HL.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_HL.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_HL.h 2005-08-02 20:02:17.656255448 +0200
@@ -0,0 +1,22 @@
+/* Hop Limit modification module for ip6tables
+ * Maciej Soltysiak <solt@dns.toxicfilms.tv>
+
+
+#endif
-diff -uNr include.orig/linux/netfilter_ipv6/ip6t_IMQ.h include/linux/netfilter_ipv6/ip6t_IMQ.h
---- include.orig/linux/netfilter_ipv6/ip6t_IMQ.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_IMQ.h 2005-05-06 09:24:35.000000000 +0200
-@@ -0,0 +1,8 @@
-+#ifndef _IP6T_IMQ_H
-+#define _IP6T_IMQ_H
-+
-+struct ip6t_imq_info {
-+ unsigned int todev; /* target imq device */
-+};
-+
-+#endif /* _IP6T_IMQ_H */
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_nth.h include/linux/netfilter_ipv6/ip6t_nth.h
--- include.orig/linux/netfilter_ipv6/ip6t_nth.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_nth.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_nth.h 2005-08-02 20:02:17.652256056 +0200
@@ -0,0 +1,19 @@
+#ifndef _IP6T_NTH_H
+#define _IP6T_NTH_H
+#endif /*_IP6T_NTH_H*/
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_policy.h include/linux/netfilter_ipv6/ip6t_policy.h
--- include.orig/linux/netfilter_ipv6/ip6t_policy.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_policy.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_policy.h 2005-08-02 20:02:17.655255600 +0200
@@ -0,0 +1,52 @@
+#ifndef _IP6T_POLICY_H
+#define _IP6T_POLICY_H
+#endif /* _IP6T_POLICY_H */
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_REJECT.h include/linux/netfilter_ipv6/ip6t_REJECT.h
--- include.orig/linux/netfilter_ipv6/ip6t_REJECT.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_REJECT.h 2005-08-02 20:02:17.657255296 +0200
@@ -0,0 +1,18 @@
+#ifndef _IP6T_REJECT_H
+#define _IP6T_REJECT_H
+#endif /*_IP6T_REJECT_H*/
diff -uNr include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h include/linux/netfilter_ipv6/ip6t_ROUTE.h
--- include.orig/linux/netfilter_ipv6/ip6t_ROUTE.h 1970-01-01 01:00:00.000000000 +0100
-+++ include/linux/netfilter_ipv6/ip6t_ROUTE.h 2005-05-06 09:24:35.000000000 +0200
++++ include/linux/netfilter_ipv6/ip6t_ROUTE.h 2005-08-02 20:02:17.654255752 +0200
@@ -0,0 +1,23 @@
+/* Header file for iptables ip6t_ROUTE target
+ *
+#define IP6T_ROUTE_TEE 0x02
+
+#endif /*_IP6T_ROUTE_H_target*/
+diff -uNr include.orig/linux/netfilter_ipv6.h include/linux/netfilter_ipv6.h
+--- include.orig/linux/netfilter_ipv6.h 2004-10-31 20:55:40.000000000 +0100
++++ include/linux/netfilter_ipv6.h 2005-08-02 20:02:17.661254688 +0200
+@@ -56,6 +56,7 @@
+
+ enum nf_ip6_hook_priorities {
+ NF_IP6_PRI_FIRST = INT_MIN,
++ NF_IP6_PRI_CONNTRACK_DEFRAG = -400,
+ NF_IP6_PRI_SELINUX_FIRST = -225,
+ NF_IP6_PRI_CONNTRACK = -200,
+ NF_IP6_PRI_BRIDGE_SABOTAGE_FORWARD = -175,
+@@ -68,4 +69,6 @@
+ NF_IP6_PRI_LAST = INT_MAX,
+ };
+
++#define SO_ORIGINAL_DST 80
++
+ #endif /*__LINUX_IP6_NETFILTER_H*/
diff -uNr include.orig/linux/netlink.h include/linux/netlink.h
--- include.orig/linux/netlink.h 2005-01-08 15:03:40.000000000 +0100
-+++ include/linux/netlink.h 2005-05-06 23:15:44.000000000 +0200
++++ include/linux/netlink.h 2005-08-02 20:02:17.679251952 +0200
@@ -14,6 +14,7 @@
#define NETLINK_SELINUX 7 /* SELinux event notifications */
#define NETLINK_ARPD 8
#define NETLINK_ROUTE6 11 /* af_inet6 route comm channel */
#define NETLINK_IP6_FW 13
#define NETLINK_DNRTMSG 14 /* DECnet routing messages */
-@@ -91,11 +92,11 @@
- struct nlmsghdr msg;
- };
-
--#define NET_MAJOR 36 /* Major 36 is reserved for networking */
-+#define NET_MAJOR 36 /* Major 36 is reserved for networking */
-
- enum {
- NETLINK_UNCONNECTED = 0,
-- NETLINK_CONNECTED
-+ NETLINK_CONNECTED,
- };
-
- #endif /* __LINUX_NETLINK_H */
diff -uNr include.orig/linux/skbuff.h include/linux/skbuff.h
---- include.orig/linux/skbuff.h 2004-10-31 20:55:28.000000000 +0100
-+++ include/linux/skbuff.h 2005-05-06 22:50:01.000000000 +0200
-@@ -15,10 +15,13 @@
- #define _LINUX_SKBUFF_H
-
- #include <linux/kernel.h>
--#include <sys/time.h>
-+#include <linux/time.h>
- #include <linux/cache.h>
-
-+#include <asm/atomic.h>
- #include <asm/types.h>
-+#include <linux/mm.h>
-+#include <linux/highmem.h>
- #include <linux/poll.h>
- #include <linux/net.h>
- #include <net/checksum.h>
-@@ -245,12 +248,19 @@
+--- include.orig/linux/skbuff.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/skbuff.h 2005-08-02 20:02:17.667253776 +0200
+@@ -258,6 +258,9 @@
__u32 nfcache;
__u32 nfctinfo;
struct nf_conntrack *nfct;
#ifdef CONFIG_NETFILTER_DEBUG
unsigned int nf_debug;
#endif
- #ifdef CONFIG_BRIDGE_NETFILTER
- struct nf_bridge_info *nf_bridge;
- #endif
-+#if defined(CONFIG_IMQ) || defined(CONFIG_IMQ_MODULE)
-+ unsigned char imq_flags;
-+ struct nf_info *nf_info;
-+#endif
- #endif /* CONFIG_NETFILTER */
- #if defined(CONFIG_HIPPI)
- union {
diff -uNr include.orig/linux/sysctl.h include/linux/sysctl.h
---- include.orig/linux/sysctl.h 2005-03-13 21:53:56.000000000 +0100
-+++ include/linux/sysctl.h 2005-05-06 22:50:56.000000000 +0200
-@@ -18,8 +18,11 @@
- #ifndef _LINUX_SYSCTL_H
- #define _LINUX_SYSCTL_H
-
-+#include <linux/kernel.h>
- #include <linux/types.h>
-
-+struct file;
-+
- #define CTL_MAXNAME 10 /* how many path components do we allow in a
- call to sysctl? In other words, what is
- the largest acceptable value for the nlen
-@@ -123,34 +126,35 @@
- KERN_SPARC_SCONS_PWROFF=64, /* int: serial console power-off halt */
- KERN_HZ_TIMER=65, /* int: hz timer on or off */
- KERN_UNKNOWN_NMI_PANIC=66, /* int: unknown nmi panic flag */
-- KERN_BOOTLOADER_TYPE=67 /* int: boot loader type */
-+ KERN_BOOTLOADER_TYPE=67, /* int: boot loader type */
-+ KERN_FBSPLASH=68, /* string: path to fbsplash helper */
-+ KERN_GRSECURITY=69, /* grsecurity */
-+
-+#ifdef CONFIG_PAX_SOFTMODE
-+ KERN_PAX=70, /* PaX control */
-+#endif
- };
-
-+#ifdef CONFIG_PAX_SOFTMODE
-+enum {
-+ PAX_ASLR=1, /* PaX: disable/enable all randomization features */
-+ PAX_SOFTMODE=2 /* PaX: disable/enable soft mode */
-+};
-+#endif
-
- /* CTL_VM names: */
- enum
- {
-- VM_SWAPCTL=1, /* [<2.6 ONLY] struct: Set vm swapping control */
-- VM_SWAPOUT=2, /* [<2.6 ONLY] int: Linear or sqrt() swapout for hogs */
-- VM_FREEPG=3, /* [<2.6 ONLY] struct: Set free page thresholds */
-- VM_BDFLUSH=4, /* [<2.6 ONLY] struct: Control buffer cache flushing */
- VM_UNUSED1=1, /* was: struct: Set vm swapping control */
- VM_UNUSED2=2, /* was; int: Linear or sqrt() swapout for hogs */
- VM_UNUSED3=3, /* was: struct: Set free page thresholds */
- VM_UNUSED4=4, /* Spare */
- VM_OVERCOMMIT_MEMORY=5, /* Turn off the virtual memory safety limit */
-- VM_BUFFERMEM=6, /* [<2.6 ONLY] struct: Set buffer memory thresholds */
-- VM_PAGECACHE=7, /* [<2.6 ONLY] struct: Set cache memory thresholds */
-- VM_PAGERDAEMON=8, /* [<2.6 ONLY] struct: Control kswapd behaviour */
-- VM_PGT_CACHE=9, /* [<2.6 ONLY] struct: Set page table cache parameters */
- VM_UNUSED5=6, /* was: struct: Set buffer memory thresholds */
- VM_UNUSED7=7, /* was: struct: Set cache memory thresholds */
- VM_UNUSED8=8, /* was: struct: Control kswapd behaviour */
- VM_UNUSED9=9, /* was: struct: Set page table cache parameters */
- VM_PAGE_CLUSTER=10, /* int: set number of pages to swap together */
-- /*VM_MAX_MAP_COUNT=11, [<2.6] int: Maximum number of active map areas */
-- VM_MIN_READAHEAD=12, /* [<2.6] Min file readahead */
-- VM_MAX_READAHEAD=13, /* [<2.6] Max file readahead */
- VM_DIRTY_BACKGROUND=11, /* dirty_background_ratio */
- VM_DIRTY_RATIO=12, /* dirty_ratio */
- VM_DIRTY_WB_CS=13, /* dirty_writeback_centisecs */
-@@ -168,7 +172,7 @@
- VM_HUGETLB_GROUP=25, /* permitted hugetlb group */
- VM_VFS_CACHE_PRESSURE=26, /* dcache/icache reclaim pressure */
- VM_LEGACY_VA_LAYOUT=27, /* legacy/compatibility virtual address space layout */
-- VM_SWAP_TOKEN_TIMEOUT=28 /* default time for token time out */
-+ VM_SWAP_TOKEN_TIMEOUT=28, /* default time for token time out */
- };
-
-
-@@ -191,8 +195,8 @@
- NET_TR=14,
+--- include.orig/linux/sysctl.h 2005-07-06 02:17:21.000000000 +0200
++++ include/linux/sysctl.h 2005-08-02 20:03:45.127957728 +0200
+@@ -193,7 +193,8 @@
NET_DECNET=15,
NET_ECONET=16,
-- NET_KHTTPD=17, /* [<2.6] */
+ NET_KHTTPD=17, /* [<2.6] */
- NET_SCTP=17
-+ NET_SCTP=17,
-+ NET_NETFILTER=18,
++ NET_SCTP=17,
++ NET_NETFILTER=18
};
/* /proc/sys/kernel/random */
-@@ -241,7 +245,7 @@
- NET_CORE_LO_CONG=15,
- NET_CORE_MOD_CONG=16,
- NET_CORE_DEV_WEIGHT=17,
-- NET_CORE_SOMAXCONN=18
-+ NET_CORE_SOMAXCONN=18,
+@@ -258,6 +259,42 @@
+ NET_UNIX_MAX_DGRAM_QLEN=3
};
- /* /proc/sys/net/ethernet */
-@@ -254,7 +258,43 @@
- {
- NET_UNIX_DESTROY_DELAY=1,
- NET_UNIX_DELETE_DELAY=2,
-- NET_UNIX_MAX_DGRAM_QLEN=3
-+ NET_UNIX_MAX_DGRAM_QLEN=3,
-+};
-+
+/* /proc/sys/net/netfilter */
+enum
+{
+ NET_NF_CONNTRACK_FRAG6_TIMEOUT=29,
+ NET_NF_CONNTRACK_FRAG6_LOW_THRESH=30,
+ NET_NF_CONNTRACK_FRAG6_HIGH_THRESH=31,
- };
-
++};
++
/* /proc/sys/net/ipv4 */
-@@ -345,7 +385,7 @@
- NET_TCP_DEFAULT_WIN_SCALE=105,
- NET_TCP_MODERATE_RCVBUF=106,
- NET_TCP_TSO_WIN_DIVISOR=107,
-- NET_TCP_BIC_BETA=108
-+ NET_TCP_BIC_BETA=108,
- };
-
- enum {
-@@ -367,7 +407,9 @@
- NET_IPV4_ROUTE_MIN_PMTU=16,
- NET_IPV4_ROUTE_MIN_ADVMSS=17,
- NET_IPV4_ROUTE_SECRET_INTERVAL=18,
-- NET_IPV4_ROUTE_GC_MIN_INTERVAL_MS=19
-+ NET_IPV4_ROUTE_GC_MIN_INTERVAL_MS=19,
-+ NET_IPV4_ROUTE_GC_INTERVAL_MS=20,
-+ NET_IPV4_ROUTE_GC_DEBUG=21,
- };
-
enum
-@@ -398,7 +440,7 @@
- NET_IPV4_CONF_NOPOLICY=16,
- NET_IPV4_CONF_FORCE_IGMP_VERSION=17,
- NET_IPV4_CONF_ARP_ANNOUNCE=18,
-- NET_IPV4_CONF_ARP_IGNORE=19
-+ NET_IPV4_CONF_ARP_IGNORE=19,
- };
-
- /* /proc/sys/net/ipv4/netfilter */
-@@ -430,7 +472,7 @@
- NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT=24,
- NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD=25,
- NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT=26,
-- NET_IPV4_NF_CONNTRACK_COUNT=27
-+ NET_IPV4_NF_CONNTRACK_COUNT=27,
- };
-
- /* /proc/sys/net/ipv6 */
-@@ -444,7 +486,7 @@
- NET_IPV6_IP6FRAG_LOW_THRESH=22,
- NET_IPV6_IP6FRAG_TIME=23,
- NET_IPV6_IP6FRAG_SECRET_INTERVAL=24,
-- NET_IPV6_MLD_MAX_MSF=25
-+ NET_IPV6_MLD_MAX_MSF=25,
- };
-
- enum {
-@@ -621,23 +663,6 @@
- NET_DECNET_CONF_DEV_STATE = 7
- };
-
--/* /proc/sys/net/khttpd/ [<2.6 ONLY] */
--enum {
-- NET_KHTTPD_DOCROOT = 1,
-- NET_KHTTPD_START = 2,
-- NET_KHTTPD_STOP = 3,
-- NET_KHTTPD_UNLOAD = 4,
-- NET_KHTTPD_CLIENTPORT = 5,
-- NET_KHTTPD_PERMREQ = 6,
-- NET_KHTTPD_PERMFORBID = 7,
-- NET_KHTTPD_LOGGING = 8,
-- NET_KHTTPD_SERVERPORT = 9,
-- NET_KHTTPD_DYNAMICSTRING= 10,
-- NET_KHTTPD_SLOPPYMIME = 11,
-- NET_KHTTPD_THREADS = 12,
-- NET_KHTTPD_MAXCONNECT = 13
--};
--
- /* /proc/sys/net/sctp */
- enum {
- NET_SCTP_RTO_INITIAL = 1,
-@@ -653,7 +678,7 @@
- NET_SCTP_PRESERVE_ENABLE = 11,
- NET_SCTP_MAX_BURST = 12,
- NET_SCTP_ADDIP_ENABLE = 13,
-- NET_SCTP_PRSCTP_ENABLE = 14
-+ NET_SCTP_PRSCTP_ENABLE = 14,
- };
-
- /* /proc/sys/net/bridge */
-@@ -661,7 +686,7 @@
- NET_BRIDGE_NF_CALL_ARPTABLES = 1,
- NET_BRIDGE_NF_CALL_IPTABLES = 2,
- NET_BRIDGE_NF_CALL_IP6TABLES = 3,
-- NET_BRIDGE_NF_FILTER_VLAN_TAGGED = 4
-+ NET_BRIDGE_NF_FILTER_VLAN_TAGGED = 4,
- };
-
- /* CTL_PROC names: */
-@@ -687,7 +712,7 @@
- FS_DQSTATS=16, /* disc quota usage statistics and control */
- FS_XFS=17, /* struct: control xfs parameters */
- FS_AIO_NR=18, /* current system-wide number of aio requests */
-- FS_AIO_MAX_NR=19 /* system-wide maximum number of aio requests */
-+ FS_AIO_MAX_NR=19, /* system-wide maximum number of aio requests */
- };
-
- /* /proc/sys/fs/quota/ */
-@@ -700,7 +725,7 @@
- FS_DQ_ALLOCATED = 6,
- FS_DQ_FREE = 7,
- FS_DQ_SYNCS = 8,
-- FS_DQ_WARNINGS = 9
-+ FS_DQ_WARNINGS = 9,
- };
-
- /* CTL_DEBUG names: */
-@@ -712,7 +737,7 @@
- DEV_PARPORT=3,
- DEV_RAID=4,
- DEV_MAC_HID=5,
-- DEV_SCSI=6
-+ DEV_SCSI=6,
- };
-
- /* /proc/sys/dev/cdrom */
-@@ -755,12 +780,12 @@
-
- /* /proc/sys/dev/parport/parport n/devices/ */
- enum {
-- DEV_PARPORT_DEVICES_ACTIVE=-3
-+ DEV_PARPORT_DEVICES_ACTIVE=-3,
- };
-
- /* /proc/sys/dev/parport/parport n/devices/device n */
- enum {
-- DEV_PARPORT_DEVICE_TIMESLICE=1
-+ DEV_PARPORT_DEVICE_TIMESLICE=1,
- };
-
- /* /proc/sys/dev/mac_hid */
-@@ -775,7 +800,7 @@
-
- /* /proc/sys/dev/scsi */
- enum {
-- DEV_SCSI_LOGGING_LEVEL=1
-+ DEV_SCSI_LOGGING_LEVEL=1,
- };
-
- /* /proc/sys/abi */
-@@ -786,7 +811,7 @@
- ABI_DEFHANDLER_LCALL7=3,/* default handler for procs using lcall7 */
- ABI_DEFHANDLER_LIBCSO=4,/* default handler for an libc.so ELF interp */
- ABI_TRACE=5, /* tracing flags */
-- ABI_FAKE_UTSNAME=6 /* fake target utsname information */
-+ ABI_FAKE_UTSNAME=6, /* fake target utsname information */
- };
-
- #endif /* _LINUX_SYSCTL_H */
+ {